What’s In A Password? December 15th, 2009
It’s been a while since I last posted, I caught the dreaded swine flu and have been laid up for some weeks now; whilst I don’t think it was any worse than seasonal flu, I wouldn’t recommend it to anyone, nasty stuff. Still, I’m back now in case you were wondering where I had gone.
Being that I haven’t done much over the past few weeks I haven’t really got much to talk about, but thought I’d share some interesting facts I read last week in one of the journals I subscribe to. The article centred on password security, something close to my heart being as I act as sysadmin for various businesses. The article detailed some recent results which had been conducted by the Microsoft Malware Protection Centre, some of them were quite shocking actually considering the world in which we live in today and the precautions we ‘should’ be taking as sysadmins.
Microsoft essentially configured a system and invited automated attacks so that they could monitor the attacks and try to better understand the methods used. As you will be able to see in the results, the length of the passwords is quite interesting, mainly because the average length according to the data collected is 8 characters and that’s very close to the length of the passwords that many people use for their internet accounts.
So without further ado, here are the findings.
The survey found that the longest username used was 15 characters; the longest password was 29 characters. The average username length found in the survey was 6 characters and the average password length was 8 characters.
Here is a top 10 list with the most common user names used in the automated attacks, the number in brackets is the amount of instances found:
- Administrator (136971)
- Administrateur (107670)
- admin (8043)
- andrew (5570)
- dave (4569)
- steve (4569)
- tsinternetuser (4566)
- tsinternetusers (4566)
- paul (4276)
- adam (3287)
And a similar list for passwords:
- password (1188)
- 123456 (1137)
- #!comment: (248)
- changeme (172)
- F**kyou [edited] (170)
- abc123 (155)
- peter (154)
- Michael (152)
- andrew (151)
- matthew (151)
So what does all this mean? Well, most importantly it says that as sysadmins we should all have strict password policies in place, users should take good care of what usernames and passwords are being chosen. If the account has no limit on the number of login attempts (if not, why not?), then knowing the username is giving the attacker a significant head start in breaching your system. It’s amazing how many systems I have come across that still use ‘administrator’ as a username, looking at the top 10 list of usernames used in automated attacks, I’m amazed why sysadmins do nothing about this obvious flaw in their design. I can’t stress enough, username and password combinations should not be chosen lightly.
Usually when an end-user chooses a password, they choose something that is either easy to remember or easy to type, but we must all remember that for now at least, those passwords are also most commonly used for authentication on the internet so they really do need to be strong.
The three basic things to remember when creating a strong password are the following:
- Use a combination of letters, numbers and special characters. Also, remember that some dictionaries have an ‘l33t’ mode, which allows common letter/number to special character substitutions (like changing a-@, 1-1, o-0 and s-$ for example password-p@$$w0rd). Therefore they must be mixed in different ways so that they are not predictable.
- Use a combination of lower and upper case letters.
- Make it lengthy. A longer password does not necessarily mean it will be stronger but it will help in a lot of cases.
- Random rules!
A good friend of mine has developed a simple password generating engine which is available freely by visiting http://www.random-password.net. To check if your passwords are strong, Microsoft has a password checker which is available here.
The moral of the story is to choose the password policy wisely. Act now, tomorrow may be too late. I can’t stress the importance of password policies enough, I suggest all sysadmins who may stumble across this post revisit theirs as a priority.
