"DON'T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don't use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password."
Seems obvious enough, right? Maybe not. At AusCert 2009, I attended a talk given by Peter Gutmann, a researcher in the department of Computer Science at the University of Auckland. His talk focused on various assumptions within security. He displayed samples of phishing data that had been collected. Many of the phished passwords demonstrated exactly what the rule above explicitly says not to do. It seems, at least from the phishing data that was collected, many users are still using passwords basic enough to guess or discover by brute force in a reasonable amount of time.
With the recent cracking of all of Dan Kaminsky's passwords, we're reminded that most of us probably use the same password everywhere, over-simplify it in order to remember it easily, and use it in insecure locations.
Lately we've seen quite a few mass injection attacks occur on Web sites by attackers coming in through the front door with passwords in hand.
You might wonder: How attackers gained the passwords of these ftp/scp/ssh accounts? There are a number of possibilities, but I'll mention a few:
- An employee on the Web administration staff had visited a malicious Web site and became infected with malware, which then monitored their keystrokes and captured their password.
- An employee surfed the Web in an unsecured Wi-Fi network.
- An employee's personal Web account password was guessed, or their secret question was guessed by Googling for personal information. Once access was gained to their account, attackers found more sensitive information that allowed them access to corporate network machines or data.
Providing the answer to a secret question has always been thought to be the ultimate test in order to prove your identity and change your password. But, as even Sarah Palin learned the hard way, this is not the case.
Hotmail, for example, has various secret questions from which the user chooses:
- Mother's birthplace
- Best childhood friend
- Name of first pet
- Favorite teacher
- Favorite historical person
- Grandfather's occupation
Google, Bing, Yahoo, and other search engines have allowed attackers to find information about individuals like never before. The more public a profile you keep on Facebook, MySpace, hi5, or any of the other various social networking sites, the easier it is to obtain answers to most, if not all, questions above. As we all know, an attacker with enough time, patience, and resources will eventually find a way into a target.
Much like Bruce says in his post, we all break the rules he outlines. But that doesn't mean we shouldn't attempt as users and administrators to abide by them and enforce them if possible. Never forget that guessing a secret question and gaining access to a public Web account can lead to massive amounts of potential data leakage if information has been stored in locations it's not supposed to be.