Password Selection
By: Netcrash
When I audit the security of a network,
one of the first things that I do is look at the password selection policy.
Most good administrators have laid down strict guidelines on the selection of
passwords. Passwords are the forefront of network security. Why bother putting
a $50,000 firewall in place if the password could be cracked in minutes by a 12
year old? We must take steps to improve network security. A good way to do this
is select better passwords.
Primary
criterion for a good password is:
It must be at least 6
characters long preferably 8.
Contain mixed case,
numeric, and symbolic characters.
Privileged passwords
should also include at least one non-printable ASCII character.
Recommended for administrators.
Passwords should be
selected that are not easily linkable to the user. Example, user MaryAnn
has her password as MARY123.
Passwords should be
short enough so that the common user is not required to write it down.
Believe you me folks, written down passwords have been the downfall of
many systems.
Analysis
on password selection:
Good
passwords are a start, but they are not completely fool proof. A good hacker
can still find ways to bypass passwords. The company must put into place policy
that prevents “social engineering” of passwords. I have heard stories of
hackers calling into a company and posing as the administrator to gain
privileged passwords. Ideas for company wide policy include:
Users should not be
permitted to write down their passwords anywhere. There should be no hard
copies of password and username listings posted ANYWHERE. This is just
asking for trouble.
Passwords should not be
recycled from one user to another. This means that once a password has
been used, it should not be used again for several years. Some companies
simply rotate their users through a static list of passwords. All a hacker
would have to do is acquire this listing and use it to brute force the
password of a privileged user.
Users should be
instructed to NEVER under any circumstances give their passwords out to
anyone over the phone, email or chat. If it should become necessary to
communicate this information, the compromised passwords should be changed
as soon as possible.
Upon the suspicion of
passwords being compromised, the entire collection of company passwords
should be changed. This would limit the time that a hacker would have to
implement a backdoor into the system. The system should also be checked
for these back door programs.
Go to a hacker site and
download a password list, run your company passwords against it and
disallow the use of any password found on the list.
Remember that an ounce
of prevention is worth a pound of cure. The few minutes enforcing good
passwords will save you possibly hundreds of hours repairing damages
caused by a malicious hacker.
This
listing was taken from a popular hacker document on how to brute force a
password. Take heed of it and do not allow passwords like these to go on your
system!!!
1)
Relating to the person's real name, in some form or the other
RealName: John Doe
PossiblePW: doe,
johndoe,jdoe,jd,johnd,john doe, doejohn,
2)
Relating to the person's handle, in some form or the other
Handle: Victim
PossiblePW: victim, vic, vict, etc.
3)
A combination of the person's real name and handle, in some form or the other
RealName: John Doe
Handle: Victim
PossiblePW: johndoevictim, jdvictim,
jdv, johnvictimdoe
4)
A combination of the person's real name and handle, along with a friend's
real name, and maybe handle.
RealName: John Doe
Handle: Victim
Friend'sRealName: Harry Hailey
Friend'sHandle: Fuckup
PossiblePW:
johndoevictimharryhaileyfucup, jdvhhf, jdvhhfup,
5)
A person that the victim is interested in, e.g. a boy/girlfriend, someone
he/she has an eye for, etc.
RealName: John Doe
MateHopeful: Janet Dove
PossiblePW: janet, johndoeandjanetdove,
j&j, etc.
6)
A combination in some form of another of the person's phone number.
RealName: John Doe
PhoneNumber: 212-555-9099
PossiblePW: 9099, 2125559099, 5559099,
212, etc.
7)
Name of BBS
RealName: John Doe
BBS Name: Crappy BBS
PossiblePW: crap, crappybbs, bbscrap,
etc.
8)
A combination of BBS name and user name, user data, etc.
RealName: John Doe
BBS Name: Crappy BBS
PossiblePW: crapjdoe, jdoecrap,
johndoeatcrappybbs jd@cbbs
9)
Mother's maiden name:
Real Name: John Doe
Mother's Maiden Name: Janet Ho
PossiblePW: johndoejanetho, janetho,
ho, etc.
10)
InterNet Address
Real Name: John Doe
InterNet Address: j.doe@crapbbs.com
PossiblePW: j.doe@crapbbs.com, j.d@c.c,
etc.
11)
School Name
Real Name: John Doe
School: Faggot High School
PossiblePW: faggot, jdfaggot,
jd@faggot, etc.
12)
The name of someone they hate:
Real Name: John Doe
Person Hated: Des Meanie
PossiblePW: Des, Meanie, Desmeanie,
etc.
13)
A place where they live.
Real Name: John Doe
Borough of Home: Brooklyn
Possible PW: Brooklyn, jd@brook, etc.
14)
Combinations of the above
In
conclusion, although passwords are not even close to totally fool proof, they
will keep the script kiddie hackers out and deter other hackers from attempting
to crack your system. There are many ways other than brute forcing a password
to compromise a system. Still, passwords are the forefront of security and they
should be treated as such.
Reference(s):
For
a listing of the ASCII table, visit this site
www.delanet.com/~pparish/ascii.htm.
Selections
included from:
Vortex[HIT],
HIT Inc. Guide to password cracking.
1.) Password Selection - netcrash
2.) Interview with Hats [proxy elites] - The Hacktivist
3.) Nessus Attack Analysis Using Snort - spoonfork
4.) Browsing Websites at your own risk - Obscure
5.) Security Trends - What they forgot to secure - Obscure
6.) Game Review: The Sims Vacation Expansion Pack - sQ
