Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Email/password Frustration - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Email/password Frustration

I am going to go back to the basics here for a minute and talk about one of the most common ways someone’s email account/password gets hacked. With all of the 3rd party hacks that have happened in recent months it would not be impossible that the password was stolen if the same password is used for multiple applications. If you use the same password for your, let’s say Twitter account as you do for your Bank Account, Credit Card accounts, email accounts, etc you are opening yourself up to a potential breach. Passwords should not be the same for multiple systems. Also, if the password is easily guessed, the changes are much better that your will get hacked. All they have to do is get your email address, try a few common passwords and walla they are in.

Old School best practice to protect you and your personal information is use passwords that are not easily guessed. And use different passwords for different levels of logins. AND NEVER, NEVER use your work passwords for anything that is NOT work related.

I know it is a pain to remember different passwords but in my opinion it is essential.

Deb Hale

Deborah

278 Posts
ISC Handler
A while back I felt like scratching the writing itch and banged out a series of Cyber Security articles. One was entitled "Passwords Suck". :-) It's written more from the IT stand-point than from the end-user's perspective so I don't go into things like using KeePass or a similar password manager tool, but if ya think it's of any value, feel free to pass it on:
https://www.minds.com/blog/view/743266789177171968?referrer=linuxgeek
Brent

109 Posts
Thanks for the link. I will take a look at it.

Ok - I took a look. Great Article I might add. Adding it to my resource Bookmark for future reference.
Deborah

278 Posts
ISC Handler
You can use Password generator tool which makes strong password and not get easily hacked by anyone.
Anonymous
"You can use Password generator tool which makes strong password and not get easily hacked by anyone"

While true that this makes it a lot harder to crack the password, this isn't a silver bullet either. Don't forget that all hashes can be brute forced with enough time and GPU/CPU resources. At my Dayjob (before we got acquired by a bigger company) I used to run a password cracker for a week or two every quarter. This was because, as you rightly are implying, that users can pick a password that meets strength requirements, but which is still very poor. So by running the password cracker on our own hashes, I could find these users and make them change their password immediately (and teach them about why their password sucked).

Also, one other thing that became immediately apparent was that not all hashes are created equal. We still had an old NT system lingering in the network that we (IT) were never allowed to retire or upgrade. When we took the hashes from that system and ran them through the same password cracking tool we could prove to management that even GOOD, randomly generated passwords could be cracked in mere days or weeks at most. Old crypt and LANMAN hashes have become trivial to crack with today's hardware no matter how good the password is.

In our case, we still weren't allowed to retire the system but we were finally allowed to stick it in it's own firewalled network segment, and we were eventually allowed to retire it and the application it ran.
Brent

109 Posts

Sign Up for Free or Log In to start participating in the conversation!