|
|
 |
|
|
Pages: 1
Psst... I know your password
(Click here to view the original thread with full colors/images)
Posted by: Tweaker
When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look.
Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file.
"Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords."
Some choose words straight out of Webster's dictionary, others use a pet's name, and still more choose the name of a secret lover. Many who think themselves tricky append a digit or two on the end of their chosen word. Such feeble attempts at deception are no match for today's computers, which are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.
Its a given that many users (especially non-tech ones) will use over-simple passwords on their systems. BTW, Windows 2000 allows passwords over 8 characters (up to 128) and can even enforce difficulty requirements (such as non-alpha-numeric characters, etc). Because W2K uses Kerberos by default, there is no NTLM hashing problem.
Compare this with Sun Solaris where the hacker knows the admin is ROOT (which cannot be changed) and the significant portion of the password cannot be more than 8 characters long.
Article here
Source: ZDNet News
|
|
|
|
|
