[Dshield] Password Strength

Chris Brenton cbrenton at chrisbrenton.org
Mon Oct 18 12:47:05 GMT 2004


On Mon, 2004-10-18 at 06:53, Benjamin M.A. Robson wrote:
>
> The problem is that 
> whilst changing every month, or three months may lower the window in 
> which a CPU might brute force the password it increases the likelyhood 
> that one of your users will write the password down and stick it to the 
> back of their keyboard. 

Excellent point and one I neglected to mention. Thanks for adding this
in!

> Remember, users(humans) are dumb and lazy.  Unless you make it easy for 
> them, they will make it easy for themselves.  Even if this breaks the rules.

I'm reminded of a story one of my students once told me. Assume their
company name was "fubar" for the purpose of example. 

This student decided to try a little "social engineering" to see if
their users would hand over their passwords. They registered
"fubar_helpdesk at yahoo.com" and sent an e-mail to all internal users that
said something like "This is the helpdesk and we are having system
problems. Please send us your logon name and password so we can rectify
your account". As expected, about a dozen users hit reply and sent their
logon name and password. Most of them had VPN access so these
credentials could easily be used to gain remote access.

So this person then sends an e-mail from the real helpdesk account and
explains he was doing security testing. He explains how to tell the
difference between internal and external e-mail, and then goes on to
explain that you should *never* give out your password via e-mail or
over the phone. They also explain that the helpdesk can easily change
passwords when required, so they would never need to ask for this info,
there is absolutely no valid reason to even hand out your password to
anyone. For completeness, they included a forward of the original
message so people knew what they were talking about.

The result? 16-18 people hit reply on this second message and sent their
logon name and password (yes, even more people than the first time
around). 

So I have a hard time arguing with your point of "dumb and lazy". I
personally however try to look at it as "job security" because as long
as we let people have access to computers, the security field is always
going to need smart folks fighting the good fight. :)

Chris







More information about the list mailing list