Survey: Security Password Picks Are Easy Prey

[InfoSec News <isn () c4i org>]

http://dailynews.yahoo.com/h/nf/20010625/tc/11524_1.html

By Jay Lyman
www.NewsFactor.com
Monday June 25, 2001

A new computer password survey of British employees highlights what
many security experts see as an underrated threat: passwords that are
obvious to people or to "cracking" programs widely available on the
Internet.

The survey, conducted by UK domain registry CentralNic, revealed that
nearly half of the workers polled use their own name or a nickname and
a third used a favorite sports team or celebrity for their passwords.

Security experts say most employees are not aware how easy it is to
guess -- or more commonly, use a cracking tool -- to uncover passwords
and gain access to the company network.

Obvious Choices

The survey by CentralNic, the registry for the "us.com" and "eu.com"
domain names, indicated that 47 percent of respondents used their own
name or a nickname and 32 percent chose their favorite football team
or favorite celebrity, according to Joe Alagna, North American
marketing manager.

"One of the main places security can fail is the password because
people can guess them too easily," Alagna told NewsFactor Network.

Michael Sutton, senior security engineer at iDefense, said he was not
surprised to see half of respondents using their own names for
passwords.

"Sometimes it's worse," Sutton told NewsFactor. "They'll use a
one-letter password or a null password -- nothing."

Sutton, whose Fairfax, Virginia-based company assesses risks for
businesses and government agencies, said using passwords based on
personal information -- name, spouse's name, car -- leaves the codes
vulnerable to discovery by acquaintances, co-workers and all of the
people who interact with them.

Sutton said a solution might be assigned passwords, but they are often
forgotten, written down on Post-it notes at the computer or e-mailed,
making their discovery more likely.

Words Are Weak

Passwords are also vulnerable to cracking tools available on the Web
that are able to scan for any word as well as letter-numeral
combinations.

"Something that people aren't aware of is the way password crackers
work," Sutton told NewsFactor. "They run through the dictionary, so if
you pick something that's in the dictionary, it's very easy to crack.
Other password crackers systematically go through every number-letter
combination."

Sutton suggested using passwords that replace various letters with
numbers or symbols, or making up an acronym that is not a word.

"You want to end up with something as random as possible, but it still
has to be something you're going to remember," he said.

Protecting Password Files

A well-known cracking tool such as "LoftCrack" would take about 48
hours to scan the entire password file of a company, according to
Sutton.

"There are various files you do not want people to access, and one is
definitely the password file," he said. "With most operating systems,
if you want on and have access to the password file, you can get on."

Sutton said there are probably a dozen cracking programs for all major
operating systems, but some crackers are application-specific for
e-mail, word-processor documents or other software.

"So long as it's a popular application, there's a good chance that
there are a couple of password crackers for it," he said.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.