[ISN] Survey: Security Password Picks Are Easy Prey

From: InfoSec News (isnat_private)
Date: Tue Jun 26 2001 - 02:07:43 PDT

  • Next message: InfoSec News: "[ISN] Asta Launches DDOS Detection Software"

    By Jay Lyman
    Monday June 25, 2001
    A new computer password survey of British employees highlights what
    many security experts see as an underrated threat: passwords that are
    obvious to people or to "cracking" programs widely available on the
    The survey, conducted by UK domain registry CentralNic, revealed that
    nearly half of the workers polled use their own name or a nickname and
    a third used a favorite sports team or celebrity for their passwords.
    Security experts say most employees are not aware how easy it is to
    guess -- or more commonly, use a cracking tool -- to uncover passwords
    and gain access to the company network.
    Obvious Choices
    The survey by CentralNic, the registry for the "us.com" and "eu.com"
    domain names, indicated that 47 percent of respondents used their own
    name or a nickname and 32 percent chose their favorite football team
    or favorite celebrity, according to Joe Alagna, North American
    marketing manager.
    "One of the main places security can fail is the password because
    people can guess them too easily," Alagna told NewsFactor Network.
    Michael Sutton, senior security engineer at iDefense, said he was not
    surprised to see half of respondents using their own names for
    "Sometimes it's worse," Sutton told NewsFactor. "They'll use a
    one-letter password or a null password -- nothing."
    Sutton, whose Fairfax, Virginia-based company assesses risks for
    businesses and government agencies, said using passwords based on
    personal information -- name, spouse's name, car -- leaves the codes
    vulnerable to discovery by acquaintances, co-workers and all of the
    people who interact with them.
    Sutton said a solution might be assigned passwords, but they are often
    forgotten, written down on Post-it notes at the computer or e-mailed,
    making their discovery more likely.
    Words Are Weak
    Passwords are also vulnerable to cracking tools available on the Web
    that are able to scan for any word as well as letter-numeral
    "Something that people aren't aware of is the way password crackers
    work," Sutton told NewsFactor. "They run through the dictionary, so if
    you pick something that's in the dictionary, it's very easy to crack.
    Other password crackers systematically go through every number-letter
    Sutton suggested using passwords that replace various letters with
    numbers or symbols, or making up an acronym that is not a word.
    "You want to end up with something as random as possible, but it still
    has to be something you're going to remember," he said.
    Protecting Password Files
    A well-known cracking tool such as "LoftCrack" would take about 48
    hours to scan the entire password file of a company, according to
    "There are various files you do not want people to access, and one is
    definitely the password file," he said. "With most operating systems,
    if you want on and have access to the password file, you can get on."
    Sutton said there are probably a dozen cracking programs for all major
    operating systems, but some crackers are application-specific for
    e-mail, word-processor documents or other software.
    "So long as it's a popular application, there's a good chance that
    there are a couple of password crackers for it," he said.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 02:18:02 PDT