Lest this blog turn into nothing more than a source of announcements, I figured I’d post something that has been eating me up for ages. Anyone who knows me knows that I hate passwords with a passion. They’re easy to break, easy to social engineer, and provide a false sense of security. People trade them for candy bars, reuse them, and don’t pick ones that are hard to guess. As soon as they become hard to guess, they also become hard to remember, leading to lots of helpdesk calls for password resets. All of these (and other) issues stem from one single root cause – passwords move the security role from the IT security department to the end users. We IT security people are constantly trying to make new rules for the end users to make sure they protect their passwords, but the problem is that while all these rules make sense to us, the end users are not IT security experts. They don’t have the background, experience, knowhow, etc. Expecting the end users to manage security of a system they don’t even understand is a huge mistake. And yet, for some reason, that’s what we do when we use passwords as the single factor needed to access sensitive data.

I was clearing out my bookmark file on an old machine this morning and stumbled across something I’d bookmarked and completely forgotten about – the best default password list I think I’ve ever seen. Also, it’s actually maintained! I just figured I’d share it.

I’ve been using Windows 7 fairly regularly on one of my machines for the past month or so. One thing I noticed is that the default password settings for Windows 7 include the fact that password expire after 42 days. Since most home users will never change their default settings, this setting will likely become a de-facto standard. However, the default settings also have a password history of zero (no remembered passwords), and a minimum age of zero as well. This means that every home user, when prompted to change their password, will simply change it to the password they had initially, making this setting useless.

Every so often I make a post whose main purpose is to get indexed by google and provide people with (what I think is) some nugget of useful information. Although googling for 8Ry2YjIyt7RRXU24 will yield a lot of results, none of them mention that this is the hash for a blank password on a pix firewall. (In other words, if you found this post because you have a Pix that has enable password 8Ry2YjIyt7RRXU24 encrypted set, that means the enable password is blank).

phpbb.com was broken into recently, and 20,000 passwords were revealed. There are two articles which attempt to draw conclusions from the data. One lists the 500 most common passwords, and the other does some analysis to try and get aggregate groupings.

The bottom line: no matter how much training we do, even reasonably internet literate people like the phpbb users, still pick crappy passwords. People don’t like remembering passwords, and therefore they find every conceivable measure to circumvent them. (See my previous post: all passwords are weak). If you’re developing a security system where the people who are supposed to be protected feel the need to circumvent the security, they will usually bring your security system down. Better to make a different system which is more transparent to the people who you’re trying to protect.

This looks like it could be a lot of fun. (You know, if someone were to try that. Not that I would ever participate in or condone such an activity). This just boils down to the fact that yet another embedded device has a default password on it that most people never change. The best protection in this case is probably to just lock the access panel.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.

Has anyone ever stopped to ask themselves why they set password lockouts to 3 or 5? (The so-called “industry standard”). There are plenty of people who accidentally lock themselves out in 3 or 5 tried, and end up having to call the helpdesk (or equivalent) for a password reset. If the limits were raised to 10 or 20, it would probably greatly reduce those calls.

Generally passwords are much easier to obtain through human factors than brute force attacks. No additional security is gained by lowering the lockout from 20 to 3 as 20 attempts is still not enough to break in a brute force attack, and any password that can be guessed in 20 attempts can just as easily be guessed in 3.

Far too much time is spent worrying whether passwords are strong or not. The main weakness passwords encounter though is not the string that defines them, but the human being that remembers them. In short, all passwords are weak, and it has nothing to do with string length, complexity, or password change rules.

Recently I got an email from someone I am close to which included his new password. It was not accidental or coerced – he simply mentioned it in his email (which went to about 5 or 6 people, myself included), as part of a funny anecdote. Now this person is not stupid. He is a practicing lawyer who works for the state government and has argued several times in front of his state supreme court. As a security professional I felt it my duty to inform him of the necessity of protecting passwords, but I know that it did no good. He reacted nonchalantly and simply did not seem to care. (It is also clear that he is not alone).

IT folks have a tendency to blame the employee who gave out (or wrote down) their password, but the truth is the fault cannot ultimately lie with them. Competent clerks, secretaries, lawyers, doctors, and others who were born a generation prior to the explosion of the internet cannot be expected to be an expert in IT security, or even to understand anything about IT. The fault belongs to the people who architected the system and placed everyday users in the frontline position against attackers. I hate to harp on a single topic, but security systems must be transparent to be effective. The frontline defense against attacks should not be the users – it should be the trained security professionals. Making the least qualified people the first line of defense against attackers will always be a losing position.