Wikipedia may not be allowed for use as a reference, but that doesn't mean that it doesn't contain any useful information. Consider the new post by Ron Bowes (of NMap fame): a list of 14,488,929 (almost 14 and one half million) passwords. Granted, there are no usernames, but usernames are much easier to obtain than passwords. Windows presents usernames at the login prompt, and many people have their browsers configured to "auto-fill" forms with usernames. A hacker can simply use the passwords to create a word list (or "dictionary") and apply a dictionary attack. Many of the passwords are duplicates, some of the most popular being "123456" and "password".
The objective of Mr. Bowes' post is to create awareness. Some sites, such as Twitter, blacklist certain passwords which are designated as being simple to crack (common dictionary attacks use words, variations and misspellings of words, words with symbols used as replacements for similar-looking letters, words combined with numbers, and strings of numbers). Often, several dictionaries will be used-- an initial attack might consist of the 100 most common passwords, followed by the 1000 most common, followed by a dictionary containing hundreds of thousands of "words". Mr. Bowes believes that all sites should use blacklists for passwords; ideally excluding the 1000 most commonly used.
How about the ethics behind Mr. Bowes' actions? He did not steal any passwords. Some were "sniffed" during DefCon from people connecting to public wi-fi spots (never send passwords over public networks!), and many others were collected from various sites around the internet. Technically, he merely collected readily available data and presented it in an easy-to-use format.
Your network is safe though, right? If your SSID is "LinkSys***" or "2WIRE***", then probably not. Most of the time, when people use the default SSID associated with their respective router, they have also neglected to change the default password. WPA-2 does no good if the password has not been altered from the default. How would anyone know all of the default router passwords you ask? www.routerpasswords.com, of course.
A strong password is typically comprised of lowercase letters, uppercase letters, numbers, and symbols. One method is to replace letters with similar-looking numbers and letters, but this is still vulnerable to dictionary attacks. A more powerful method of protection is to use a mnemonic device (a rhyme or short poem) to help remember a password. Iw$@m9f4 becomes I-went-swimming-at-my-girl-friend's-house. Confusing? Create one that works for you! Never store your passwords when asked. Aside from the obvious security risks associated with storing passwords, repetition in typing will help you remember your unique password (don't forget to repeat your mnemonic device in your head as you type!). You will be surprised at how soon you will see password and think "I went swimming at my girlfriend's house."
So what's your password? Let's see if I can guess...
Source: http://jaxcomputing.blogspot.com/2010/08/whats-your-password.html
0 nhận xét: on "What's YOUR password?"
Post a Comment