Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file.
"Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords."
Fortune 100 corporations, small firms and even Internet service providers with strong security have an Achilles heel: users who pick easily guessable passwords. Some choose words straight out of Webster's dictionary, others use a pet's name, and still more choose the name of a secret lover. Many who think themselves tricky append a digit or two on the end of their chosen word. Such feeble attempts at deception are no match for today's computers, which are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.
Treasure trove of magic words
For network intruders, that's a gold mine. Bad passwords don't necessarily make it easier to break in to a company's network, but for hackers able to gain access to a corporate computer by other means, they're a treasure trove. Passwords discovered on one server will frequently open the way to other servers, and with the digital keys to a large fraction of the accounts on the network, an intruder can wander about with impunity and with the appearance of being a legitimate user.
That's why network attackers grab passwords as soon as they can. Some viruses and worms send an infected computer's password file back to the creator. This week, a worm known as DoubleTap is doing just that, squirming its way in to computers with Microsoft's SQL Server 7.0 installed. The 1i0n worm, which spread among Linux servers in early 2001, grabbed password files, and the SirCam virus, in some cases, could send off the systems passwords as well.
Special report
Cracking the nest egg
Hackers find fortunes
in online bank accounts
Even the most paranoid security group and high-tech digital fences can't do much if the CEO secures his critical files with "god123." Worse, most companies and organizations still rely on a password--and nothing else--to authenticate their employees.
In security circles, experts have been studying the problem for decades.
In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that a third of users' passwords could be broken in less than five minutes.
A search to find an eight-character password of random letters and digits would take 66 years on average for the big gun of the day, the PDP-11/70, which could crunch through nearly 50,000 combinations a minute in a brute-force search.
Yet the study found that users almost invariably chose bad passwords, leading to shortcuts for anyone attacking the security of the system.
Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson and Robert Morris Sr., found about 17 percent consisted of three characters or less, nearly 15 percent had four characters that were a letter or a digit, and another 15 percent appeared in one of the dictionaries available at the time. In total, nearly half the passwords could be found in a search lasting less than six hours.
Make no mistake: An eight-character password could be very secure, even if attacked by today's high-speed computers.
There are more than 6.6 quadrillion different eight-character passwords using the 95 printable ASCII characters. Though some password-cracking programs can test nearly 8 million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average.
In fact, operating systems have evolved in the past two decades to increase the security surrounding passwords. At one time, anyone could read the password file--the collection of encrypted keys for the system's software locks--making it easy for a hacker to copy the file for later cracking on their own computer system.
Now, operating systems typically allow only system administrators access to read the encrypted passwords, forcing hackers to get administrator rights on the system before they can grab the file. In addition, "three strikes" login rules have become common, locking out users who fail to provide the correct passwords in the first few attempts.
Play video
There are currently no comments for this post.