The Password is

Hi Guys,

Please allow me to ask a real dumb question (perhaps 11 on a 1-10 scale of dumb questions).

Ok! I read everywhere to use strong passwords, at least 8 characters, mix upper & lower case, and add some punctuation, etc.. And don't use your birthday, or pets name, for a password. Ok Get ready to laugh!

I'm at home not in a office, noone else uses this machine but me. The weak password, does not make me vulnerable from my residence. How would the bad guys on the net be able to steal my weak ( pets name etc) password?

I guess if they used a keylogger weak or strong they would know the password. Would a keylogger capture fields that were auto filled in?

Thanks for the comments
rico

 

Bad guys can steal a password by catching the password as it crosses a line, by getting at the file the password is stored in, or by applying keystroke logging.

In your case the first option is only real if you use a wireless access point and use the same password to login to other systems.
The second one could be tricky if a trojan is installed on your system. An attacker could remotely copy a password file (the registry, maybe the copy in the repair database).
Third option you described yourself.

So: technically speaking you are hardly vulnerable. Most chance of exposing your password is by yourself: using it all around the world and/or by being mesled by a social engineering hack.

Stupidity: way below average

BTW: Microsoft claims that they will abandon the use of passwords. So once you'll have to use a token or smartcard instead of a password.

 

Thanks Meneer!

 

I don't believe in strong passwords, especially for my users. As soon as they are forced to use strong passwords, they can't remember them and start to write them down. If passwords are that important I would favour a token.

For passwords I use non-existant words, to avoid having them dictionary cracked.

According to Project RainbowCrack a password using lan manager hash can be cracked in seconds. It's better to disable LM or use passphrases with a minimum of 15 characters.

There are worms that use dictionary attacks to crack weak passwords. Or if you expose your system by null user. The best defense against these vulnerabilities is hardening or a firewall.

 

Excellent Diginsight.

but usb tokens ... I have my own experience lol ... it can be the same as an stupid piece of paper ..

that..offcourse says more about me then the paper

But that's a fact ..

 

Do you mean they become too convenient?

 

Yes my bro.. at the end it al comes down to what you do with the knowledge

 

But that's no prb as we al learn from it.. normaly everytime from another stage and you learn.. you learn .. you learn ..

That's all left to do..and I like it .. we all do .. let's face it.

Sincerely.

 

In my company we're switching to smartcards. Much easier, no more tricky passwords, no more password renewal, just a simple 4 digit numeric pincode.

Still the problem is that there may be people writing down their pincode. Their loss I.

Our Smartcard is enhanced by single sign-on facilities. So application passwords are gone too. Further we plan to move to real single sign-on by moving to an identity and access management system, so identitities and authentication is passed transparantly, without user intervention.

But this, coupled to physical access control, pre-boot authentication for encrypted laptops and payment functions embedded on the smartcard, certainly is a major change from the traditional identification and authentication process.

 

There's an interesting article by Fred Langa, and it continues here.

Cheers