The Password is

Discussion in 'other security issues & news' started by Rico, Jun 27, 2005.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hi Guys,

    Please allow me to ask a real dumb question (perhaps 11 on a 1-10 scale of dumb questions).

    Ok! I read everywhere to use strong passwords, at least 8 characters, mix upper & lower case, and add some punctuation, etc.. And don't use your birthday, or pets name, for a password. Ok Get ready to laugh!

    I'm at home not in a office, noone else uses this machine but me. The weak password, does not make me vulnerable from my residence. How would the bad guys on the net be able to steal my weak ( *puppy* pets name etc) password?

    I guess if they used a keylogger weak or strong they would know the password. Would a keylogger capture fields that were auto filled in?

    Thanks for the comments
    rico
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Bad guys can steal a password by catching the password as it crosses a line, by getting at the file the password is stored in, or by applying keystroke logging.

    In your case the first option is only real if you use a wireless access point and use the same password to login to other systems.
    The second one could be tricky if a trojan is installed on your system. An attacker could remotely copy a password file (the registry, maybe the copy in the repair database).
    Third option you described yourself.

    So: technically speaking you are hardly vulnerable. Most chance of exposing your password is by yourself: using it all around the world and/or by being mesled by a social engineering hack.

    Stupidity: way below average :)

    BTW: Microsoft claims that they will abandon the use of passwords. So once you'll have to use a token or smartcard instead of a password.
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Thanks Meneer!
     
  4. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I don't believe in strong passwords, especially for my users. As soon as they are forced to use strong passwords, they can't remember them and start to write them down. If passwords are that important I would favour a token.

    For passwords I use non-existant words, to avoid having them dictionary cracked.

    According to Project RainbowCrack a password using lan manager hash can be cracked in seconds. It's better to disable LM or use passphrases with a minimum of 15 characters.

    There are worms that use dictionary attacks to crack weak passwords. Or if you expose your system by null user. The best defense against these vulnerabilities is hardening or a firewall.
     
  5. INf.

    INf. Guest

    Excellent Diginsight.

    but usb tokens ... I have my own experience lol ... it can be the same as an stupid piece of paper ..

    that..offcourse says more about me then the paper :)

    But that's a fact ..
     
  6. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Do you mean they become too convenient?
     
  7. Inf

    Inf Guest

    Yes my bro.. at the end it al comes down to what you do with the knowledge ;)
     
  8. Inf

    Inf Guest

    But that's no prb as we al learn from it.. normaly everytime from another stage and you learn.. you learn .. you learn ..

    That's all left to do..and I like it .. we all do .. let's face it.

    Sincerely.
     
  9. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    In my company we're switching to smartcards. Much easier, no more tricky passwords, no more password renewal, just a simple 4 digit numeric pincode.

    Still the problem is that there may be people writing down their pincode. Their loss I.

    Our Smartcard is enhanced by single sign-on facilities. So application passwords are gone too. Further we plan to move to real single sign-on by moving to an identity and access management system, so identitities and authentication is passed transparantly, without user intervention.

    But this, coupled to physical access control, pre-boot authentication for encrypted laptops and payment functions embedded on the smartcard, certainly is a major change from the traditional identification and authentication process.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    There's an interesting article by Fred Langa, and it continues here.

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.