Every so often I make a post whose main purpose is to get indexed by google and provide people with (what I think is) some nugget of useful information. Although googling for 8Ry2YjIyt7RRXU24 will yield a lot of results, none of them mention that this is the hash for a blank password on a pix firewall. (In other words, if you found this post because you have a Pix that has enable password 8Ry2YjIyt7RRXU24 encrypted set, that means the enable password is blank).

phpbb.com was broken into recently, and 20,000 passwords were revealed. There are two articles which attempt to draw conclusions from the data. One lists the 500 most common passwords, and the other does some analysis to try and get aggregate groupings.

The bottom line: no matter how much training we do, even reasonably internet literate people like the phpbb users, still pick crappy passwords. People don’t like remembering passwords, and therefore they find every conceivable measure to circumvent them. (See my previous post: all passwords are weak). If you’re developing a security system where the people who are supposed to be protected feel the need to circumvent the security, they will usually bring your security system down. Better to make a different system which is more transparent to the people who you’re trying to protect.

This looks like it could be a lot of fun. (You know, if someone were to try that. Not that I would ever participate in or condone such an activity). This just boils down to the fact that yet another embedded device has a default password on it that most people never change. The best protection in this case is probably to just lock the access panel.

The New York Times has an article on passwords and OpenID. Frankly, I couldn’t have said it better myself:

Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.

…….

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on.

Exactly what I’ve been saying.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.

I really pity the people who have to design RFID security systems. I don’t mean that condescendingly at all, I really do. They have a system which had no native power source, and has to cost about a dime, and they have to somehow build strong authentication into it. They have to design complex circuitry for minimal cost that runs on almost no power. With that in mind, it’s no wonder there are so many examples of people cracking RFID systems. This is just the newest case.

Researchers of Radboud University in Nijmegen in the Netherlands managed to crack and clone London’s Oyster travel card. They were able to take free rides on the Underground and even perpetrated a DDoS attack on a Tube gate.

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.