]
01-12-2011, 02:38 AM
Weak passwords are a constant problem for websites and businesses trying to secure their data. There are thousands of hackers all over the world trying to break into systems at all hours of the day using password cracker software.
Since disconnecting systems from the internet is not an option for most organizations, it is important to enforce strong password policies in order to keep hackers out. The reason for that is if users are given the opportunity, they will pick weak passwords. Fortunately, all modern operating systems today allow system administrators to enforce strong password policies.
Most Common Passwords
Many people are prone to using short and simple passwords that are easily guessed. Some of those most common passwords include:
* Blank password
* The word "password"
* The user's username or login name
* Names of spouses, friends, or pets
* License plate numbers
* Swear words
Hackers use password hacking programs that attack most of the above passwords as well as many other simple variations of the above. Hackers targeting a specific person such as a politician or celebrity can perform searches on the internet to get personal information. Even a myspace page that contains the name of a pet could allow a hacker to break into a user's account.
Self-Service Password Reset Vulnerability
Educated guesses are very effective when it comes to systems with self service password reset policies that ask personal questions. In 2008, Sarah Palin's yahoo mail account was hacked by someone researching Sarah Palin's personal life to answer the password reset questions.
Phishing Schemes and Keyloggers
The easiest way to get passwords is to have trojan horses install programs on a user's PC to record keystrokes via a keylogger program. Another way is for a hacker to set up a website that looks exactly like the real website and trick users into giving away their username and password via a link given in email to the fake website. It's important for users to be suspicious of all email purporting themselves to come from their bank, school, social networking websites, etc.
Password Strength
The following character classes are used to define the strength of a password.
* Upper case letters (26 characters)
* Lower case letters (26 characters)
* Punctuation (approximately 33 characters)
* Numbers (10 characters)
The amount of time and computing effort required to break a password increases significantly if a random character is picked from each character class. In a recent phishing scheme for myspace passwords, only 8% of passwords had all four character classes.
Best Practices for Password Security
Only a few important steps are needed for users to protect their passwords and online security.
The first thing to do is to pick a strong password utilizing all characters classes to maximize the strength of a password. The password needs to be at least eight characters but more is better. Make it easy to memorize by using a mnemonic device. For example:
Mdslwys90! (My dad is always right = right angle 90!)
Secondly, make sure all antivirus software, phishing filter software, and anti-malware software is installed. There is free antivirus software out there that is quite good and comparable to paid commerical antivirus software.
Finally, be suspicious of all emails even if they appear to be authentic. Except for an occasional slip in English grammar, it's usually impossible to detect an email that is actually part of a phishing scheme. The graphics and logo in the email as well as the fake website are usually identical to the real website. The best practice is to always use the browser bookmark to go to the website instead of using a link in an email.
From XtremeRoot.com/ofsec/
Since disconnecting systems from the internet is not an option for most organizations, it is important to enforce strong password policies in order to keep hackers out. The reason for that is if users are given the opportunity, they will pick weak passwords. Fortunately, all modern operating systems today allow system administrators to enforce strong password policies.
Most Common Passwords
Many people are prone to using short and simple passwords that are easily guessed. Some of those most common passwords include:
* Blank password
* The word "password"
* The user's username or login name
* Names of spouses, friends, or pets
* License plate numbers
* Swear words
Hackers use password hacking programs that attack most of the above passwords as well as many other simple variations of the above. Hackers targeting a specific person such as a politician or celebrity can perform searches on the internet to get personal information. Even a myspace page that contains the name of a pet could allow a hacker to break into a user's account.
Self-Service Password Reset Vulnerability
Educated guesses are very effective when it comes to systems with self service password reset policies that ask personal questions. In 2008, Sarah Palin's yahoo mail account was hacked by someone researching Sarah Palin's personal life to answer the password reset questions.
Phishing Schemes and Keyloggers
The easiest way to get passwords is to have trojan horses install programs on a user's PC to record keystrokes via a keylogger program. Another way is for a hacker to set up a website that looks exactly like the real website and trick users into giving away their username and password via a link given in email to the fake website. It's important for users to be suspicious of all email purporting themselves to come from their bank, school, social networking websites, etc.
Password Strength
The following character classes are used to define the strength of a password.
* Upper case letters (26 characters)
* Lower case letters (26 characters)
* Punctuation (approximately 33 characters)
* Numbers (10 characters)
The amount of time and computing effort required to break a password increases significantly if a random character is picked from each character class. In a recent phishing scheme for myspace passwords, only 8% of passwords had all four character classes.
Best Practices for Password Security
Only a few important steps are needed for users to protect their passwords and online security.
The first thing to do is to pick a strong password utilizing all characters classes to maximize the strength of a password. The password needs to be at least eight characters but more is better. Make it easy to memorize by using a mnemonic device. For example:
Mdslwys90! (My dad is always right = right angle 90!)
Secondly, make sure all antivirus software, phishing filter software, and anti-malware software is installed. There is free antivirus software out there that is quite good and comparable to paid commerical antivirus software.
Finally, be suspicious of all emails even if they appear to be authentic. Except for an occasional slip in English grammar, it's usually impossible to detect an email that is actually part of a phishing scheme. The graphics and logo in the email as well as the fake website are usually identical to the real website. The best practice is to always use the browser bookmark to go to the website instead of using a link in an email.
From XtremeRoot.com/ofsec/
