Passwords May Be Weakest Link

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

Very good analysis.

[tshak]

Passwords May Be Weakest Link

And in other news, "The Earth May Not Be Flat".

i can't even troll right

[Anonymous Cowrad]

damnit

Did somebody say...

[Anonymous Coward]

Passwords, you are the weakest link... Goodbye!

just one problem

[mpweasel]

...secure passwords are usually difficult to remember. Thus users tend to use the month (05 for may, etc) for the mandatory digits, and sometimes cusswords to vent their frustration at the secure password policy. Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?

Sources: interviews and sticky notes on monitors

--
martin

Netware makes us change...

[Kiaser Zohsay]

...every 39 days, and it remembers an ungodly number of old ones, so you can't recycle. I don't have enough kids to come up with that many passwords.

Re:Very good analysis.

[pacman on prozac]

A conflicting article at the Center for Stating the Bloody Obvious this week stated that infact:

Humans are the weakest link. Without them there would be no need for passwords.

Re:just one problem

[Waffle Iron]

Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?

It's probably their /. username...

Re:The problem with strong passwords...

[blacksmith]

...people will write them down. Preferrably on post-it notes and stuck to the keyboard or the screen.

But that's not always a problem. In some situations, where outsiders don't wander round offices, this can be a good technique. If the office is "secure", writing down passwords is fine. This can certainly be put to good effect in the home.

Post-its stuck to monitors might not be the best place to write them down, I grant you.

Re:Netware makes us change...

[TeamSPAM]

...I don't have enough kids to come up with that many passwords.

You must not be Catholic. >;-)

Re:just one problem

[h0tgr1tz99]

HEY! Who told you?!?

Re:Obvious

[sc00p18]

This makes me so MAD! I mean, why can't people take their security seriously? It's not that hard to sit down one day and make up a few difficult passwords and memorize them. For example, I use one of

ekk4H$2drPr3Q,
Ltc4buX126w, and
7ydEX92aSz3UIo

for 90% of my passwords. Then all you have to do is not tell anyone about them. They're not hard to remember anymore, and it really wasn't that difficult to begin with. Sheesh, morons.

Re:Obvious

[MarkusQ]

I wonder how tough it would be to crack SSN number passwords. These are easy to remember, but GOTTA be tought to crack....

Not really. I once worked (as a contractor) with a primadona / hot shot who thought he was the side the bread was buttered on (or something like that). Anyway, he left in a huff of wounded genius one day (someone had the audacity to challenge his expense report, IIRC). I had noticed a few months back that 1) his password was all numeric and 2) he typed it in a 3-2-4 pattern. After he was gone & everyone was in a panic because we were locked out of a few important things, I took it upon myself to look up his SSN in the payroll system.

After everyone was sufficiently worried about the fate of the company and all, I asked mildly "Mind if I take a stab at it?"

It worked the first time, and I deadpaned it like it was no big deal, with some Jeeves-ish quip about "the psychology of the individual" and tapped my forehead. It was quite fun.

-- MarkusQ

Re:Obvious

[Dudio]

I'm sure it was unintentional, but you seem to have left out your Slashdot password. Plz fix. Thx.

Re:Very good analysis.

[Stackis]

You think that's bad...

I use to work for a software company in Eastern Washington State...

Their password for all of their servers was QWERTY...

How freaking dumb is that?...

Needless to say, I implemented new passwords...

Since I've left the company, I'm sure they went back to something pretty lame.....like QWERTY