Passwords
One of the main computer security elements is password. Practically anywhere - starting computer, logging into the network server, login and password challenge happens between the user and the system. Both attributes are used even when smartcard or biometrical authentification system is used - only the way how the system gets the user name and password changes: is it entered from keyboard, read from chipcard EEPROM, user finger or eye iris. Only in the first, but the most widely used case user really knows and often can freely change the password. Unfortunately in many cases it can appear a problem. According to some hackers investigations:
- more than 50% computers connected to Internet have shared resources;
- about 25% of shared resources aren't protected with passwords;
- nearly 10% of users are using login or reversed login name as password.
A lot of users think that their logins are known only by themselves and system administrators, but really Windows operating systems often kindly give logins to all, who know how to ask them, because by default anonymous user can get a user list from server. It can be disabled by editing Windows registry - setting the key
HKEY_LOCAL_MACHINE\SYSTEM\System\CurrentControlSet\Control\LSA
value
RestrictAnonymous DWORD =1.
Another chance to get the login and password is by using sniffer. Usually in the net passwords are encrypted before sending over net, but there are also exceptions - telnet sessions, work with POP3 mail server, or server is either by accident or by purpose configured to work with plain passwords. If the password is encrypted, then a hacker must decrypt it first. Usually hash generation algorithm is well known and password can be found by dictionary testing words until the right hash is found. Usually it is impossible to test completely all symbol combinations due to high computing resource utilization. So passwords are divided into strong and weak ones.
Weak password usually can be easily decrypted using programs like John the Ripper, which are often dictionary based. They feature generally usage of only one symbol register - small or caps, examples:
admin, john, login.
In the strong passwords not only both caps and small symbols are used but also special symbols, for example
Ad1ini$s!tRator, Q19wc%7&ke, z01k3S*2&.
Mathematically possible combinations for 4 symbol password are:
- if only numerals are used 10**4=1000
- if only small or caps letters - 26**4=456978
- if both small and caps - 62**4=14776336
- but when also other symbols are used - 94**4=78074896
Users usually choose short passwords - often a word, on the ground that it is hard to remember more difficult strong password. But it is possible at the same time to combine password from word by ornamenting it with special symbols and numerals. It is easy to found likeness !=i, @-a,^-v,$-S, 1-i, 5-s, 2-z, 6-G, 7-L, 0-o, +-t. Simply a word can be taken and letters replaced - Ainars-
A!n@r5 or Administrator-
Adm!ni$trat0r. Even better could be inserts - - Ainars-
Ai!na@rs5 or Administrator
-Adm!ini$stra@to0r. In this case not only the password will be longer, but also it will be more difficult for a hacker to decrypt it because
- passsword word,
- letter changes and
- whether the insert is before or after a letter, are unknown.
Links to related resources
Page visited 1628 times
Last modified Sunday, 10-Oct-2004 09:08:05 MDT
