• stevecody (unregistered) in reply to gblues

    Yeah, and if it's too hard to remember, it's probably going to end up sticky-noted on the side of the monitor.

    CAPTCHA: odio - they forgot the 'us' on the end

  • Jb (unregistered) in reply to gblues
    gregmac:
    That's why it is important to enforce the policy on the server. Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.

    so maybe u don't need to be beaten with large blunt objects but I wouldn't exaxtly call you a security expert either. Just consider the most effective attack ever: social engineering. Security CANNOT be removed from an understanding of how people behave!

    This type of policy has proved time and again to produce passwords written down at PCs which is no security at all. Noone will ever remember such a password. A better solution is to focus on user education so that genuinely secure passwords can be used regardless of these arbitrary con straints.

  • Eythian (unregistered) in reply to Jb
    Jb:
    This type of policy has proved time and again to produce passwords written down at PCs which is no security at all. Noone will ever remember such a password. A better solution is to focus on user education so that genuinely secure passwords can be used regardless of these arbitrary constraints.
    On the other hand, a written down password that is secure is still secure against remote access attempts. Tell them to write it down and keep it in their wallet, and to throw it away when they don't need it any more. That way a reasonable security level is reached. Personally, I write new ones on the back of my hand, and by the time it's all washed off, a day or so later, I've memorised it.
  • Grassfire (unregistered) in reply to alegr

    What I hate is when you get used to dialing the phone through the computer, then go to a real phone and try and dial the same number subconciously.

  • Grassfire (unregistered)

    My favourite technique for long passwords is to pick a couple of easy to remember bits of information, eg, phone number and a name (8 digits). Then put them together alternating, eg:

    97851234 (phone number not a real number, I hope) lillian# (name with a special character added to make the length)

    Then combine them alternating, so: 9 7 8 5 1 2 3 4 l i l l i a n #

    So the password becomes: 9l7i8l5l1i2a3n4#

    But it's still easy to remember because the two parts are easy to recall.

  • (cs) in reply to gregmac
    gregmac:
    Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.

    Ha. Pretty close to one place I worked at a few years back. They did min length of 8 and "only" remembered the last 15-20 passwords... But other than that, spot on. Thankfully I only worked there for a little over a month while the normal guy was on leave (wasn't his policy either, it was a head office one).

  • (cs) in reply to 008
    008:
    ATTENTION:

    The new global account password for WTF is: tnemmoc.

    I thought it was: ftwaton.

  • Mnemonic (unregistered)

    How come dictionary attacks are possible over the internet?

    I would think the most basic security measure is to block the IP for some time after several authentications failures.

  • Weyland (unregistered)

    The only real useful password strength is length, as with all keys.

    Since a lot of years back I always pick my passwords to be a complete sentence, for example:

    "I will bring this shit to the end!"

    1. It's very strong
    2. It's extremely easy to remember
    3. It's extremely fast to type (if you touch-type anyway)
    4. Faster typing means less chance of a successful shoulder-keyboard attack
    5. Type in your native language to make it even stronger, using words with non-english characters where you can. Most rainbow tables don't account for that, and if they do, they're usually limited in length
  • Tomen (unregistered) in reply to Mnemonic

    Well, that opens the door for a DoS attack on the service and isn't very effective since IP-spoofing isn't that hard.

  • Drak (unregistered)

    It might not be that hard to spoof but I'm guessing you'll get most of the script kiddies in that way. And why check by IP. Just record the username, and let them wait 1 second longer everytime they try that username...

  • jo (unregistered)

    Trying to understand the technology used here.

    • Mail is outsourced to a hosting company. Mailboxes reside on an internet-facing server.
    • One mailbox per user.
    • Strong (and supposedly uncracked) admin password that allows shell access.
    • "emails were being sent from virtually every account on the server"

    Alright. First one to answer the following question gets a cookie: How did the cracker manage to obtain the usernames?

  • PACE (unregistered)

    Weyland is right. It just makes no sense to enforce some monstrosity like "ufAg4*v+ZkLm#98<8" on your users. Not even I'd like to remember and correctly type in such a freakword.

    Passphrases are the way to go. For example, take an easy sentence "I was blind, then went on." and make it "I was blind579, thenwent ON!". There. Easy to remember, even with the obfuscation in place and not an ounce less secure than the crap above. Whole sentences can also be immune to dictionary attacks because they don't have to make sense, can contain made up words and also special chars, plus they are long enough to make brute force tiring.

    "Want back: my 50 Mobogos!" - hard to forget but hard to crack.

    Benjamin

  • mpd (unregistered) in reply to jo

    The same way he got the password(s), obviously.

  • Owen (unregistered) in reply to Weyland
    Weyland:
    The only real useful password strength is length, as with all keys.

    Since a lot of years back I always pick my passwords to be a complete sentence, for example:

    "I will bring this shit to the end!"

    1. It's very strong
    2. It's extremely easy to remember
    3. It's extremely fast to type (if you touch-type anyway)
    4. Faster typing means less chance of a successful shoulder-keyboard attack
    5. Type in your native language to make it even stronger, using words with non-english characters where you can. Most rainbow tables don't account for that, and if they do, they're usually limited in length
  • JohnFx (unregistered)

    The Real WTF is that "Pallindrome" isn't one.

  • (cs) in reply to gregmac

    That is pretty much my companies password policy, except it is 12 characters. I had to change my password last week, a task which took me about an hour.

  • (cs) in reply to KattMan
    KattMan:
    regeya:
    This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits. I'd do more, and make it a more difficult password, but people complain about this, and instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

    Sometimes BOFH behavior is there to save people from themselves.

    You know even a spouses name can be made somewhat more secure if people would only try a little harder. Let's use my login name for example: I want my password to be KattMan I hax0r it into K477M4n mix of upper and lower, with numbers and letters. I know it isn't really strong but it isn't real easy either. Most basic users can remember most of these.

    You know, if I were to write a brute-force dictionary password cracker, I'd build into it the ability to randomly substitute letters with numbers (say, an "A" with a "4", and an "I" or "L" with a "1"), and even make it tack on a few random digits at the end, something simple like "00" or "01".

    Having come up with that idea, and knowing I'm not a motivated malicious Kr4xx0r with aw4s0m m4d sKillz, I'm convinced that someone has already done this.

    -dZ.

  • Butthat (unregistered) in reply to savar
    savar:
    Nick:
    I apologize for my nitpickiness (since NONE of the commenters ever nitpick) but shouldn't that probably be "assured" instead of "ensured?"

    You are completely correct. Good catch.

    Actually, no. It should be buttured.

  • (cs) in reply to Grassfire
    Grassfire:
    My favourite technique for long passwords is to pick a couple of easy to remember bits of information, eg, phone number and a name (8 digits). Then put them together alternating
    Your favourite technique for long passwords is now published on the Internet, for anyone with the ability to Google your username to see. Good job.

    I would consider changing my method now, if I were you.

  • James (unregistered)

    So he writes good scripts, right? Set John the Ripper to run against each account for a preset time (go easy on 'em, maybe a minute or two) each time a password is changed, and if any of them get cracked, change it to something secure and mail the new password to their supervisor along with a nastygram about choosing good passwords.

    Solved!

  • Pope (unregistered) in reply to lantastik
    lantastik:
    I love mashed up song lyrics for passwords: i@M+th3_m4|\|-1n+t|-|E_|30x!

    Feel free to use that one.

    This made me laugh out loud. Thanks.

    $|-|0v3 m% n0$3 1n $H17!

    Catcha: jumentum. Sure did! j00?

  • Pope (unregistered) in reply to Pope
    Pope:
    lantastik:
    I love mashed up song lyrics for passwords: i@M+th3_m4|\|-1n+t|-|E_|30x!

    Feel free to use that one.

    [...] $|-|0v3 m% n0$3 1n $H17! [...]

    Whoops! I mean... B|_|r13d 1n m% $h17

    er.. whatever.

  • (cs) in reply to jo
    jo:
    Alright. First one to answer the following question gets a cookie: How did the cracker manage to obtain the usernames?

    Hmmm... The email passwords apparently also allow shell access, as far as I can make out (James "remoted in" and attempted to send email from the command line). So:

    • a cracker gets one email address (from the web, a discussion forum, post to a mailing list, whatever),
    • runs an online dictionary attack against the pop3 server,
    • gets the password, logs in,
    • cats /etc/passwd, and
    • runs the dictionary attack again over loopback.

    How's that?

    (PS: Is it bad that I automatically hit /-e-Tab to try to complete the "/etc/passwd" above?)

  • xous (unregistered)

    Is it just me or did the whole "Emails Per Hour Has Been Exceeded" seem like cPanel failure?. Then again the response that 'James' gave sounded like a level I tech at the host I work for.

  • Indima (unregistered)

    Soo, James obviously screwed up. Everyone knows you can't trust users to choose secure passwords. That is soo obvious it is seldom even thought in basic security classes. It seem that this bozo is so elevated from reality that he still refuse to accept that his sub-par script completely disrupted this companys business. So he writes to the daily WTF, and immediatly get assurance from plenty other f*ck ups, that he is not a screw up...

  • tourette (unregistered)

    Best password/-phrase invention method so far: pick sequences out of a phrase. "To be or not to be, that is the question. " becomes "Tbontb, titq. " Easy to remember for most, very resilient, especially with some l&&+ mixed in.

  • pizzelus1 (unregistered) in reply to DZ-Jay
    DZ-Jay:
    KattMan:
    regeya:
    This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits. I'd do more, and make it a more difficult password, but people complain about this, and instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

    Sometimes BOFH behavior is there to save people from themselves.

    You know even a spouses name can be made somewhat more secure if people would only try a little harder. Let's use my login name for example: I want my password to be KattMan I hax0r it into K477M4n mix of upper and lower, with numbers and letters. I know it isn't really strong but it isn't real easy either. Most basic users can remember most of these.

    You know, if I were to write a brute-force dictionary password cracker, I'd build into it the ability to randomly substitute letters with numbers (say, an "A" with a "4", and an "I" or "L" with a "1"), and even make it tack on a few random digits at the end, something simple like "00" or "01".

    Having come up with that idea, and knowing I'm not a motivated malicious Kr4xx0r with aw4s0m m4d sKillz, I'm convinced that someone has already done this.

    -dZ.

  • A-Nona-Mouse (unregistered)

    I member an engineer who used 20+ digit passwords. They were the solution to a mathematical equation. Each time he forgot the password, out came the pencil and paper and he would re-solve the equations...

    To the best of my knowledge he still does this today, and has never been hacked.

    tation ?!?!?

  • A-Nona-Mouse (unregistered)

    I member an engineer who used 20+ digit passwords. They were the solution to a mathematical equation. Each time he forgot the password, out came the pencil and paper and he would re-solve the equations...

    To the best of my knowledge he still does this today, and has never been hacked.

    tation ?!?!?

Leave a comment on “Foiled by the Dictionary”

Log In or post as a guest

Replying to comment #:

« Return to Article