Comments on: Passwords suck

By: 02Jeep

02Jeep — Fri, 14 Aug 2009 20:44:04 +0000

I have over 140 servers that I have to be able to log into at work. We use schemes to help us remember our passwords. Most of the people here use three letters a two digit number (or a number and a character) and then three more letters (mixing it up with upper and lower case letters). Every month when we have to change the passwords all you have to do is change the numbers or character in the middle. That way you aren’t coming up with a completely different password each time. For example if your password was “dog!1dog” the next month you could use “dog@2dog”. We can get away with this because of the security they have set up to block people from accessing our LAN in the first place.

For personal passwords I will come up with 3 or 4 and spread them out to all my sites I log into. Then when it’s time to change them I will rotate them. That gives me 3 or 4 months with the same set of passwords.

By: vainentree

vainentree — Sun, 05 Aug 2007 15:42:42 +0000

That’s actually an example for the port scanner. As for the brute force attack, you just have to hope that the server sees what’s going on and will stop the attack or report it.

-Vainentree
http://thenerdcan.wordpress.com/

By: vainentree

vainentree — Sun, 05 Aug 2007 02:49:44 +0000

Well, the victims didn’t necessarily do something stupid. If a hacker has discovered a whole in a piece of software (or someone has for him) then he might be able to exploit the software. This might be the user’s fault if they haven’t updated their software, but if no patch to an exploit has been created then the user can do nothing (except uninstalling the software).

Example:
A hacker has discovered an exploit on port 80 (HTTP) that allows him to send data to the port on a remote computer through the TCP/IP program of choice (such as netcat). In a simple buffer overflow attack (sending more data than the computer can handle). This could crash the system.

Cheers,

Ivan

By: Mr Angry

Mr Angry — Sun, 05 Aug 2007 00:32:24 +0000

dniinoi: thanks for the tip!

vainentree: good overview, I wish I knew how some of these actually succeeded (in specific terms) Like did the victims do something really dumb or was it almost impossible to defend against the attacks?

Chris: I’ve read quite a bit on Bruce Schneier’s site about how easy it is to trick biometrics

By: Chris W

Chris W — Sat, 04 Aug 2007 20:03:31 +0000

Nevermind cutting off your fingers…they can make a jelly mold of your fingers that will fool at this point any fingerprint scanner on the market.

Look up some of the research on this, it’s both hilarious and depressing. Gelatin has the same insulative factor as human flesh, so it fools any of those ones that check to see if it’s a “living” finger just fine. Heat? Keep it in your pocket.

Yep…sad.

By: Passwords and How They are Stolen « The Nerdcan

Passwords and How They are Stolen « The Nerdcan — Sat, 04 Aug 2007 15:48:07 +0000

[...] 4, 2007 I posted a comment on Angry 365 Days a Year about passwords. The entry was entitled Passwords suck. Most people don’t know a lot about passwords and password stealing. My comment on the [...]

By: the secret in making password fun! « david nii-noi

the secret in making password fun! « david nii-noi — Sat, 04 Aug 2007 15:15:05 +0000

[...] by dniinoi on August 4th, 2007 last time i commented on General Angrines post, ‘PASSWORD SUCK‘. it really sucks for Network Administrators and users who are into serious security [...]

By: vainentree

vainentree — Sat, 04 Aug 2007 15:03:40 +0000

Here are some of the ways people get passwords:

1) The downloading of keyloggers.
2) Hackers (if they have a known target) can port scan (check the open ports on a computer), find ports with vulnerabilities, and transfer data (such as a keylogger or R[emote]A[ccess]T[rojan]) through to the computer.
3) Hackers connct to a server of an email service, messenger service, etc., and run a brute force/dictionary attack. This is done by writing a program to continually try and rearrange letter combinations (brute force), or test all the words in the dictionary.

Cheers,

Ivan
http://thenerdcan.wordpress.com/

By: dniinoi

dniinoi — Sat, 04 Aug 2007 14:47:44 +0000

well, well, lets say you have a strong password of 12 or more characters, okay it’s best if you have s structured sentenc phrase say, idiocracyhacksmetabolism. this is a perfect password. a pass phrase when u wanna change, u can maintain idiocracy and change hacks to say melts, then you have idiocracymeltsmetabolism.this can not be confusing at all. anyway you can do same with your local language phrase.

david

By: Mr Angry

Mr Angry — Sat, 04 Aug 2007 01:31:40 +0000

Paul: I’ll send you a message

DaPuma: That’s an excellent tip, thanks.

rahab: Then I just have to worry about someone cutting off my finger to access the system.

flo: careful what you wish for!