Hacker scenario: passwords the weakest link

SUMMARY: Ed Wilson talks about the weakness of passwords.

We have all seen it in movies – the hacker thinks for a minute, types in G-O-D and voila, he is into the system. Well, in real life, this probably wouldn’t fly anymore. Why? Well, most systems have what is called a complexity filter. The password usually must combine capital letters, lower case letters, and at least a number or a symbol. Oh, yeah, they also usually have a minimum length as well. So, in real life, the password might be G0d12! Ok, so that meets complexity requirements. But is it a good password? Probably not.

Password complexity rules.

For one thing, hackers know more about password complexity requirements than you do. They also know that most systems require that passwords be changed every 30 to 45 days. They also know that everyone has lots of passwords to remember, and so to make things easy people use the same password for their email, their bank, their stock service, Facebook, Twitter, Linkedin and their network access at work and at school. AND for anything else I happened to forget. So, the G0d12! password would probably be used in December, and in January it would be G0d01! The user might be able to get away with this, depending on how many passwords the system remembers. Meaning that every January it could be G0d01! and every December it could be G0d12! as long as the system does not remember more than a dozen passwords.

Common substitution algorithms include the following:

  • @ for A
  • 0 for o
  • 1 for l
  • 2 for z
  • 3 for E
  • 5 for G
  • 7 for T
  • 9 for P
  • Z for S
  • Ph for F

Now, where are the common source of passwords:

  • Significant other first name or middle name
  • Children first name or middle name
  • Street names
  • Mythical hero’s (such as the names of NinjaTurtle, Super Hero’s, true mythical hero’s such as Z3us, Apo11o things like this
  • Literary characters (such as Tiny7im, TomSawy3r)

Pass numbers for bank machines are often social security numbers, street addresses, or birthdays.

How did the hacker find the user name:

Well user names are pretty easy. Usually they are a combination of first name and last name. Here are some combinations:

  • First and last name: such as AnnJones
  • First initial and last name: such as AJones
  • First name and first three letters of last name: such as AnnJon

Most user names are also email address in many companies, so all a hacker needs is an email, and boom they have half of the login equation. If the password is a weak one such as indicated above, then the hacker is in. If the account is one with administrator rights, then it is game over.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s