Weak Passwords

Posted by Martin in Hacking, The Web  Tags: , , , , ,

27

Mar


I came upon the article “How I would hack your weak passwords” yesterday and pondered if I should write an article about it. I decided that it would be worth it. The author of the article details how he would try and find out your passwords and get access to all of your accounts in the end. His first approach would be to use the most common used passwords by users on the net. He needs information about your personal life for some passwords but those information can be obtained pretty fast through social engineering. Trying those “top 10″ passwords would already cover a large percentage of online users, statistically speaking that is.

The common password approach is the one that could give him instant success if the user is really using one of those common passwords for his accounts. His next approach would be to brute force his way in by brute forcing the password on a website that has weak security. Those sites would not react if large amounts of password requests would come in in short time. Most sites however ban IPs at least temporary after several failed attempts, still no problem if you know how to use proxies to attack with different IPs.

But the brute force programs that he suggests are way outdated. Brutus ? wwwHack ? That’s last millennium. Current state of the art bruteforcers for basic authorization and form protected sites are C-Force or Sentry. The brute force approach has one disadvantage. If you do not know the username you have to try username and password combinations and there is no guarantee that you will discover the combination for the user that you want to hack. You could get login details for other users which are absolutely worthless to you. This means, bruteforcing is only an option if you know the username of the user.

There are actually two ways to bruteforce an account. The first would be to use pregenerated lists of usernames and passwords or try combinations to get into an account. The second to try every char combination possible. It should be noted that the second option could very well last several years or even centuries depending on the size of the selected password.

So, bruteforcing is not really an option and he is not explaining how he would get the username of the user in question except mentioning cookies. Cookies are stored on the targets machine which would mean that he needs either access to that machine or an exploit to get them while the user is online. Not very practicable.

So, what can users learn from his analysis ?

  • Don’t overuse passwords, it’s more secure to use different passwords. If you only use one password someone who finds this one out gets access to everything else that is protected by that single password
  • Don’t use passwords that are easy to guess or common. No names, no sport teams, relatives, pets, work related, hobbies , and so on
  • Use numbers and special chars if possible to increase the security of the password. Remember that size matters.
  • Write them down locally and put them in a safe or use a software that encrypts them. You could for instance use a True Crypt partition to store a textfile with your passwords in them
  • Every password could be important to gain additional information about a user, never choose weak ones
Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!
   Bookmark on Delicious

11 Users Commented In This Post

Subscribe To This Post Comment Rss Or TrackBack URL
leny says, March 27th, 2007   

martin, buddy big fan of ur site…u wouldnt happen to know where i can download bruteforce program for OCR Would you ???

ilo says, March 27th, 2007   

If someone try to brake your password buy using
your informations in order to change the password
and email am shur that it will take alot of time
ti find out stuff like that and you have to be a VIP
to think that someone could do something like that you.

Raymond Koppen says, March 27th, 2007   

I have become a big fan of Roboform, an application that stores passwords for you, this way you only have to remember one skeleton key pass to get access to the other passwords. It can also be used to generate safe passwords for you so you can have a different password on each site. Of course the password database is carefully encrypted.

Ray

Why it’s a bad idea to use a weak password » The PC Doctor’s blog says, March 27th, 2007   

[...] other article is on gHacks .  This is in response to the first article and takes the idea of hacking passwords a [...]

John Pozadzides says, March 27th, 2007   

Great follow up to my original article, and I had hoped that others would detail the “flaws” in my methodology for the sake of illustrating that what I outlined is only the tip of the iceberg.

Of course, in the original document I had to consider my reader base (which is generally non-technical) and I needed to make a point quickly, succinctly and forcefully. My primary interest with the article was to make people like my friends, family and neighbors stop to think about it before they chose that next weak password. :-)

Take care,

John

Joose Haverinen says, March 28th, 2007   

Would be great if you could find and recommend an free password-software, that would automatically insert the passwords into correct web forms.

I personally use pretty secure passwords, but only few because it’s quite hard to remember which passwords are used where.

Raymond Koppen says, March 28th, 2007   

Joose : Try Roboform, it detects webpages and fills in the passwords and its free.

Raymond Koppen says, March 28th, 2007   

There is also http://portableapps.com/apps/utilities/keepass_portable

but I haven’t tried that out yet.

BTW Just to be clear I use the portable version of Roboform, which (can) run off a usb stick.

Ray

Jim Shepherd says, March 28th, 2007   

I use Password Safe: http://passwordsafe.sourceforge.net which was originally developed by Bruce Schneier, is now open source and as such, is free.

Avalanco says, September 6th, 2007   

Hi. Interesting article(s). Weak passwords has been an problem for a long period, unfortunately, it won’t change over an eye blink.

I was just wondering, these tools mentioned in this article (C-force, and Sentry), where could one be able to obtain these ?

Matthew Jacoby says, June 25th, 2008   

Weak passwords are a HUGE issue that, for some odd reason, hasn’t hit the IT Admin mainstream yet. I guess they don’t realize that those sophisticated (and EXPENSIVE) firewalls and intrusion detection systems are rendered practically useless if there is a single weak password on their networks.

The problem now is that companies are coming up with “Password Recommendations”, or policies they have no way to enforce. Instead of making “recommendations”, I don’t understand why companies don’t REQUIRE a strong password.

There is a software solutions out there called nFront Password Filter that does just that…it REQUIRES strong passwords on Windows domains. With the option to have multiple policies, different users can be assigned different requirements. Along with its built in dictionary scan and ease of installation, IT Admins can have their networks more secure than ever in a matter of minutes.

Now there’s no more excuses. nFront Password Filter takes care of all the hard work required to secure your networks.

Leave Your Comments Below
Hello, please leave your thought below

Please Note: Each comment will be manually approved by an admin. There is no guarantee that a comment will be posted. Please do not submit the comment multiple times.