back to article Who needs hackers? 'Password1' opens a third of all biz doors

Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units. The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks. The firm's threat intelligence …

Page:

  1. Michael H.F. Wilkinson Silver badge
    Facepalm

    No real surprise, really

    Whenever I let my laptop, tablet, or phone look for WIFI networks I am amazed at the sheer number of peoplpe who still have Linksys or some similar default as their network name. You just know that the majority of these will still have the default password on them.

    I never try to enter, however tempted I am, not really because I am virtuous (yeah, right), but more because I cannot be bothered, and besides, who knows whether these people have not been infected by some horrible malware which might bite my system.

    1. BenR

      Re: No real surprise, really

      And how much do people want to bet the next most common password is 'Swordfish'?

      1. Triggerfish

        Re: No real surprise, really

        It's always swordfish, works with every secret society as well.

  2. Anonymous Coward
    Anonymous Coward

    Have you got a link for the studies that show regular password resets are a bad idea? It would be very useful.

    1. Anonymous Coward
      Anonymous Coward

      Resets?

      Anecdote: I use relatively weak passwords because I have too many systems which require regular resets.

      The systems which only require a reset every 12 months or so get much better passwords...

      1. Valeyard

        Re: Resets?

        When i worked for a horribly by the book corporation that changed passwords every 30 days all that happened after a while was the numbers and symbols at the end of the password got shifted to the right of the keyboard by 1 key...

        At the other end of the scale if i see a website signup page berate me for daring to include a symbol in my password or for exceeding 8 characters I go elsewhere

        1. Anonymous Coward
          Anonymous Coward

          Re: Resets?

          Yeah, me too more or less, but I would like something that a manager might notice.

        2. J.G.Harston Silver badge

          Re: Resets?

          For ages I was getting thrown off my online debit card payment system for no stated reason, until I realised that it imposed a 12-character limit to the password and never told me that "fredandjimsmith" was not an acceptable password BECAUSE IT WAS TOO STRONG.

          1. A Non e-mouse Silver badge
            Thumb Down

            @ J.G.Harston Re: Resets?

            I use a password manager to generate passwords and I couldn't understand why the Inland Revenue wouldn't accept my new password: It was complaining it was too weak.

            After reducing the length and removing symbols the Inland Revenue finally accepted the password.

            The Inland Revenue was rejecting my passwords because they were too strong, not because it was too weak!

            1. Tim 11

              Re: @ J.G.Harston Resets?

              the worst offender I've found here is fasthosts (this was a few years ago and I wouldn't be surprised if they've fixed it now). The "change password" form allowed me to set a password with punctuation characters, but the login form did not allow me to log in using such a password - D'oh!

              1. breakfast Silver badge

                Re: @ J.G.Harston Resets?

                Twiiter was the same when I first signed up...

          2. Chris Miller

            @J.G.Harston

            The reason for the limitation on Visa (and other) operators is that they use the 'verified by Visa' system that asks you for the 2nd, 7th and 10th character of your password, with the actual ordinals changing randomly each time. They go up to a maximum of 12*. It's intended to make life more difficult for key loggers, shoulder surfers etc.

            More generally, the reason for forcing passwords to change regularly is to limit the damage when (not if) one of them 'leaks'.

            * not an unreasonable limit. If you allowed (say) 30 character passwords, the chances of most people being able to correctly identify which is the 23rd character of their password is slim.

            1. Allan George Dyer

              Re: Chris Miller Re: @J.G.Harston

              Which is one more reason why 'verified by Visa' is bad.

              1. mark 63 Silver badge

                Re: Chris Miller @J.G.Harston

                Surely visa could allow longer passwords and then just quiz you on the first 12 characters?

              2. Anonymous Coward
                Anonymous Coward

                Re: Chris Miller @J.G.Harston

                Re: Chris Miller Re: @J.G.Harston

                Which is one more reason why 'verified by Visa' is bad.

                It's not an unreasonably system, because the partial matches also prevent operators from mining your entire password. You could argue about the length, but remember that people generally have to do this off the top of their heads and the potential for users error thus increases, and thus the possibility that users abandon the security measures altogether.

            2. Anonymous Coward
              Anonymous Coward

              Re: @J.G.Harston

              > asks you for the 2nd, 7th and 10th character of your password

              I have to use a system with a similar approach, 3 randomly-selected numbers from a 6-digit PIN. Since I use the system once every few months, and never type the whole PIN, it never "sticks" in my mind. So (you guessed) I keep it on a post-it in my wallet. Not helpful.

              1. Anonymous Coward
                Anonymous Coward

                Re: @J.G.Harston

                > asks you for the 2nd, 7th and 10th character of your password

                The fact that they can validate the individual characters means that they hold the password in a way which is not oneway hashed -- that is pretty bad practice by any standards even if the plain-text password is stored in encrypted form.

                1. Nigel The Pigeon

                  Re: @J.G.Harston

                  "The fact that they can validate the individual characters means that they hold the password in a way which is not oneway hashed"

                  Not necessarily. They could store all combinations of 3 chars of your password pre-hashed.

                  Which on a 12 digit password is.... 12! / (3! (12 - 3)!) ....only 220 hashes!

            3. AndrueC Silver badge
              Facepalm

              Re: @J.G.Harston

              It's intended to make life more difficult for key loggers, shoulder surfers etc.

              And it fails miserably where I'm concerned. It seems I rely on finger memory for passwords and being asked for characters in random positions just doesn't work. I get round it by firing up Notepad and typing the password with the digits underneath.

              Oh and my VbV password is 14 characters long. I know because after 0 to 9 I have to repeat 1 to 4 :D

            4. J.G.Harston Silver badge

              Re: @J.G.Harston

              My Yorkshire Bank account has an 18-character case insensitive, no forced gobbledegook password, and I can always remember all 18 characters when it asks for a small random subset of them, because I can spell.

              1. Primus Secundus Tertius

                Re: @J.G.Harston and spelling

                I remember a work account used by a small group. After the password was set to 'pterodactyl' the non-spellers objected. These people were graduate engineers.

                1. Alan Brown Silver badge

                  Re: @J.G.Harston and spelling

                  "After the password was set to 'pterodactyl' the non-spellers objected"

                  Just for them I would have set it to "antidisestablishmentarianism"

                2. Irony Deficient

                  pterodactyl

                  Primus Secundus Tertius, of course the graduate engineers objected — they knew perfectly well that a word meaning “1000 gigadactyls” would have a “tera-” prefix.

                3. Number6

                  Re: @J.G.Harston and spelling

                  'Pterodactyl' should have been replaced by 'floccinaucinihilipilification' just to show that the IT department was listening to their complaints. It's what any good BOFH would have done.

              2. AndrueC Silver badge

                Re: @J.G.Harston

                because I can spell.

                But one of the cornerstones of avoiding a dictionary attack is to not spell things correctly My passwords aren't in any dictionary precisely because they aren't spelt correctly ;)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @J.G.Harston

                  My passwords aren't in any dictionary precisely because they aren't spelt correctly ;)

                  This is the first time I've seen an inability to spell correctly advertised as a benefit - well done.

                  :)

          3. Roland6 Silver badge

            Re: Resets?

            Re: "12-character limit to the password and never told me that "fredandjimsmith" was not an acceptable password "

            Yep, come across several of these sites over the years, they don't tell you at time of password setting that the password you've chosen is too long, leaving you to pull your hair out guessing what has gone wrong and then trying to rectify the problem...

        3. Tom 35

          Re: Resets?

          You can tell how long a sale person has worked for a company by the size of the number on the end of their password.

    2. David L Webb

      http://www.cerias.purdue.edu/site/blog/post/password-change-myths/

      explains why frequently changing passwords doesn't do much good by showing how useless it is at countering each of the moderrn threats to passwords. The policy of changing passwords once a month made sense when the main threat was someone stealing the encrypted password file and then spending a month to crack the passwords but it doesn't make sense nowadays.

      1. Chris Miller

        @David L. Webb

        Interesting article, and thanks for the link, but I don't entirely agree. The critical bit is:

        If any of the other attack methods succeed, the password needs to be changed immediately to be protected—a periodic change is likely to be too late to effectively protect the target system.

        There's some truth to this, but the biggest problem with passwords as opposed to more secure (and more expensive) methods of authentication is that you can 'lose' it without knowing that you've lost it. Periodic password changes are a long stop to catch such cases. I would argue that if your security requirements are such that immediate action is vital, passwords alone are the wrong authentication method.

    3. Uffish

      Anecdote

      Not a big sample but where i worked the "obligatory regular password changes" resulted in about a third of the passwords being written on a post-it stuck to the bottom of the keyboard or laptop.

      I couldn't believe it untill I checked one evening after working late. The regular change policy didn't last, probably because IT staff got tired of people moaning that they had lost their post-it. Mind you, I checked again later and a lot of the post-its were still there.

      1. Keith Langmead

        Re: Anecdote

        "I couldn't believe it untill I checked one evening after working late. The regular change policy didn't last, probably because IT staff got tired of people moaning that they had lost their post-it. Mind you, I checked again later and a lot of the post-its were still there."

        That's not just with regular changes, I've seen that with users when they only get changed once a year. My solution (after telling them that wallets were fine, just NOT under the keyboard), go round at night, remove the post-its, and reset the password to something longer. Wait a few days and repeat. People eventually got the idea.

      2. Alan Brown Silver badge

        Re: Anecdote

        We tell people that if we find a postit, they'll have to submit a handwritten letter acknowledging breach of company policies in order to regain access - and that letter will be held on file until they leave the outfit.

        Postit sweeps generally come up clean - People are actually pretty good at keeping pieces of paper secure if there's an incentive to do so - look in any wallet for those ones with pictures of the Queen to see what I mean.

        The funny thing is that "goodluckguessingthispassword" is far easier to remember than "5aHB$a%W" as well as being significantly more secure - so encouraging people to use phrase-based passwords is a good policy.

        Having said that, our random phrase generator has come up with "KillAllJews" and such gems as "TennisCorruptionScandal" during Wimbledon week...

      3. ps2os2

        Re: Anecdote

        To keep this short and to the point I have a disability that impairs by short term memory.

        The hospital where I have all my testing done has now gone to a system which requires a 10 character password and upper/lower case and several numbers. I simply cannot remember this password. I told them so and it bounced off like teflon. I simply asked to have my record deleted and to mail me all information that they wanted to me to have. I have not heard from them since (other than my ID being deleted). I hope I am not missing any important information.

        I suspect their system doesn't handle it well to have the ID deleted.

    4. Robert E A Harvey

      Anecdotally

      In my case it has led to me keeping an ascii file of all the business software passwords I use on my phone.

  3. Crisp

    Password fields need to be bigger.

    I have to truncate most of my favourite pass phrases in order to use them as passwords.

    1. Cliff

      Re: Password fields need to be bigger.

      The other problem is the word 'password' - if we IT savvy people start using the word 'passphrase' consistently instead, more people would understand that punctuation and spaces are allowed, and even welcomed, than trying to fit numbers, characters into a 'word' and still remember it.

      1. Fred Flintstone Gold badge

        Re: Password fields need to be bigger.

        The other problem is the word 'password' - if we IT savvy people start using the word 'passphrase' consistently instead, more people would understand that punctuation and spaces are allowed, and even welcomed, than trying to fit numbers, characters into a 'word' and still remember it.

        Yes and no - the problem is that many outfits actually do NOT permit the use of pass phrases, which is IMHO close to idiotic (and/or damn lazy coding). I agree with the use of pass phrases.

        I much prefer pass phrases for users, because you can make dreaming up a good pass phrase fun, which aids memorisation and recall (as it's one of the key techniques for memorising anyway) and thus prevents people writing things down.

        1. Ragarath

          Re: Password fields need to be bigger.

          Passphrases are what I advocate, the annoying thing with Active Directory is that you cannot create your own password requirements without a third party application.

          I want to specify that the users must have at least five unique words separated by spaces and a mix of upper and lower case (Numbers and symbols are allowed but not required). But to allow this you need to turn off the complexity requirements. I have found that people tend to forget if they used a 0 or an o in this word (same with the other common swaps) and so just using letters makes more sense.

          The same is true with a lot of online logins, they need to allow more options.

          1. NogginTheNog

            Re: Password fields need to be bigger.

            Good points, though in defence of AD I do like the fact it allows the space character in passwords. That's something many online systems would throw a hissy fit at!

            1. Alan Brown Silver badge

              Re: Password fields need to be bigger.

              "Good points, though in defence of AD I do like the fact it allows the space character in passwords. "

              Even unix DEScrypt allowed spaces in passwords.

              If online systems are throwing a hissy fit that's a damning indictment on the quality of the person who wrote the module - far too much shite in websites is based on people making assumptions about standards rather than actually reading them.

          2. Alan Brown Silver badge

            Re: Password fields need to be bigger.

            The standard unix PAM complexity checker has a great set of rules which support using long lowercase passphrases and require increasingly Byzantine character compbinations if people insist on using short password. (Under 10 characters can be tuned to require at least one from each of A-Z a-z 0-9 and symbols WITHOUT the common 37337 letter/number substitutions.)

            It can also suggest random passphrases (the default used to be 3 words, but that's changeable - 3 is no longer "strong enough")

            http://www.openwall.com/passwdqc/

      2. Tim 11

        Re: Password fields need to be bigger.

        one nice trick is to have a space at the end of the password - even if someone finds it written down or sees the plain text on your screen they're unlikely to be able to use it :-D

        1. veti Silver badge

          Re: Password fields need to be bigger.

          And the reason why all these things don't work is nothing to do with lazy coding, or gullible management suits. It's to do with testing.

          The basic exchange goes something like this:

          Tester: "What's the maximum length and character restrictions of a password field?"

          Manager: "From 12 to 4,294,967,295 characters length, 256 valid characters to choose from."

          Tester: "OK, that'll take about... four years to test. Assuming a team of six, with full-time engineering support."

          Manager: "Four YEARS!?"

          Tester: "Well, first we have to generate valid passwords of several different lengths. Then make subtle variations on each one - characters transposed, whole words transposed, upper/lower case, varying amounts and types of whitespace, and about three dozen other variations I haven't even thought of yet. Then we need to enter all of them in several different ways - typing, Swyping, pasting from clipboard, entry from imported file, interface from 'ShIT' portal. Then Sam, she's hot on this sort of thing, will try to generate hash collisions..."

          Manager: "You've got two people, and three weeks to test the whole site from soup to nuts."

          Tester: "OK, then we can test passwords with a range of 8-12 characters, letters and numerals only, case-sensitive. If you'll give us an extra day, we can even let it reject common dictionary words and phrases with one or two added characters and try the hash-collision thing."

          Manager: "No extra day!"

      3. Swarthy
        Thumb Up

        Re: Password fields need to be bigger.

        Obligatory XKCD (We were all thinking it)

        1. badger31

          Re: Password fields need to be bigger.

          <rant>

          I've always had a problem with the maths of that particular cartoon. It treats each word as a series of characters (plus common substitutions), be he actually states that passphrase be FOUR COMMON WORDS. Even if you tried all combinations of the top 2000 words, thats only 2000^4 = 1.6e+13 combinations. OK, thats only a smidge less than his 2^44 (1.8e+13), but I could easily prune that search tree with simple heuristics and word ordering. (I'm actually tempted to try this!). If the password is 8 random visible characters, thats 95^8 (6.6e+16).

          I type in login many, many times a day, so it needs to be as quick to type as to remember. No way I'm having a 25 digit password no matter how easy to remember. The only use for this I can think of is that 'verified by visa' bollocks, which won't allow it anyway. Every time I need to use that, I can't remember my password, and every possible variation of my memorable passwords has already been used, apparently, leaving me with no choice but to set a new password every time, with even less likelihood of me remembering it. And all that is needed to change the password is my card details and my DoB, so some thief with my wallet would have no problem.

          Anyway, my main point is that a sufficiently random 8 digit password will be hard to crack, and if you use it enough, your fingers will remember it, even if you don't.

          Oh, and password managers are just a pointless single point of failure (that could go 'tits-up' [http://www.theregister.co.uk/2014/08/12/lastpass_outage/]), and if someone hacks that password, they own you, bitch.

          And besides, who the fuck cares what your facebook or twitter password is? Generally speaking, the login password is not the weak link; unless you're a moron with a password like 'password1'

          I could go on, but ...

          </rant>

          1. AndrueC Silver badge
            Joke

            Re: Password fields need to be bigger.

            Password restrictions.

    2. Alan Brown Silver badge

      Re: Password fields need to be bigger.

      "I have to truncate most of my favourite pass phrases in order to use them as passwords."

      MD5 or SHA(anything) based hashers allow at _least_ 127 characters.

      Anything which is arbitrarily restricting the number of characters to a small number is indicative of a poor hashing algorithm. (14 is an indication of MS LanMan, which has a poor crypting AND is reversible. Good hashing algorithms are one-way operations.)

  4. cracked

    Two factor ...

    The problem is that 18 years will - presumably? - be half that time in 18-months. And then in another year and a half, half that again. Once 8-character passwords were considered more than strong enough ... now it's what, 20+?

    By 2030 everyone will need a chapter from their favourite novel (in reverse) in order to get back to the 18 years crack-time.

    --------------

    A second problem is that it isn't only a password securing an account. But because way too many websites at least imply - if not insist - that an email address is also your username, very many people use the same address across multiple sites.

    In the example in the article, if even the non-phonetic password was coupled with a user-name unique to that site, the time to crack would be much higher (if, in the real world, cracking was attempted at all?).

    1. Allan George Dyer

      Re: Two factor ...

      No, the username is NOT securing anything. It is an identifier, and not secret. It isn't hidden when you type it in, there is no expectation of secrecy.

      Actually, I find it convenient to use an email address as a username. It is guaranteed to be globally unique, and I don't have to remember that I was adyer1234 on site A and adyer4567 on site B. If I'm worried about spam, I use companyname@mydomain.com and I get a clue who resold my address.

      If we want to be secure, we need to insist on using 2048 bit RSA for logins instead of passwords.

      And your title? If you are suggesting that you wrote anything about Two Factor Authentication, you are wrong. A username + a password is a single factor: something you know. Two factor is any two from Something you Know, Something you Have, Something you Are.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon