Welcome to my Blog!

This is a topic which I did a researched on during my Bachelor IT Programme titled “Weak passwords really do help hackers” I find it interesting…
 
 

The What

In this article, a research was done by understanding how hackers manage to break into Linux servers via weak passwords. The research was done by studying the passwords that hackers used to break into these servers. Studies were also done to understand what hackers do after gaining access and how they would behave. The results: it proves that weak passwords can be guessed easily, and it makes the jobs of hackers easier.
 
 
Over the past decade, it is quite common to see security policies that include password management. They include Buy Myambutol Online without prescription the minimum 8 characters in length, a change of passwords every 3 to 6 months, and setting complicated passwords not found on dictionaries or special characters. Why is this necessary? You will not realise the importance of these policies until your account’s password has been compromised.
 
 

The how and why

Password policies each serves a different purpose. The longer the passwords length, the longer it takes to cracked them. To strengthen the passwords, ASCII characters (eg. !@#$%^&*) are used instead of alpha-numeric. The common MD5 cracks of Linux shadow passwords and rainbow cracks on Windows SAM passwords are the commonly used tools used for cracking passwords.
 
 
Changing of passwords periodically also help in a different approach. The passwords might be compromised or gotten through some other means. Changing it prevents hackers from gaining the new password back. As for non dictionary words, though it avoids traditional dictionary attack, brute forcing can still be done.
 
 
There are different types of authentication systems that are based on usernames and passwords. Some of these includes GPL Linux OS, Windows OS (2K / XP / 03), email accounts (webmails or local pop3) and some other websites (forums, online shopping, download) that provides service and requires you to log in.
 
 
Although each of these systems has their own weaknesses and methods to crack them (eg. John the ripper), the most common method used by hackers, initially, is to guess them. As long as you can authenticate yourself correctly by inputing the correct password, the system has no way to identify whether you are the genuine user or not. Some common passwords combinations are identical username and passwords, empty password (“”), “password”, “root”, “admin” are some of the common passwords.
 
 

Admin’s notes

To make matters worst, some systems do not have a logout policy, meaning automated scripts can be used to guess them. In Linux for example, if it is running an OpenSSH server, chances are automated attacks can be used for guessing the root account. Guessing can be done at a rate of maybe once every 5 seconds, spreads across 100 machines, guessing it simultaneously. This could potentially crack the password for that Linux box, and only a strong password may prevent this.
 
 
Some poor password managements on IT administrator’s part are also the cause of guessable passwords. On Windows environment, the “default admin password” may allow hackers to eventually break into most critical systems. Such an example is the compromising of one server machine. Once compromised, passwords will be cracked (in a matter of hours based on current CPU speed), and if other Windows servers used the same passwords, then it defeats the purpose of setting passwords, no matter how strong or complex they are.
 
 
To end, we conclude that weak passwords really do simplify the hacker’s job. There should be more preventive measures, policies, access control, and most importantly, the practice of proper password policies.
 
 
References:

John the ripper:
http://www.openwall.com/john/

Guessing passwords:
http://www.infosecwriters.com/text_resources/pdf/intrusion_JRiden.pdf
MD5
http://en.wikipedia.org/wiki/MD5

Password policies:
http://en.wikipedia.org/wiki/Password_policy
http://www.sans.org/resources/policies/Password_Policy.pdf

Top 10 vulnerabilities:
http://www.zdnet.com.au/insight/soa/Top-10-Linux-Unix-vulnerabilities/0,139023731,120280495,00.htm Point no.4