6. Flex test your passwords
Posted on 12 May 2008 at 15:06
Passwords remain one of the weakest links in the security chain simply because so many people overestimate the strength of their passwords and underestimate how easily they can be discovered. The notorious hacker collective known as the Cult of the Dead Cow recently released a tool called Goolag (www.goolag.org) that makes it easy to turn Google into a password-cracking engine.
Indeed, even without Goolag, it's possible to reveal a list of usernames and passwords for websites created using Microsoft's FrontPage, where the password files have been left readable, simply by searching for "inurl:service.pwd". Try it - if that doesn't make you take your password security more seriously then you really do need a good slap.
As Tony Fogerty reminds us, "there are lots of password-cracking tools such as Cain & Abel, LophtCrack, John the Ripper and Hydra" and you can use these against your own system to see how strong your choices really are. Better still, take the advice of Ken Munro, managing director at penetration testing consultancy SecureTest, who warns that people are fooled into thinking that passwords formed by the substitution of numbers for letters are "more secure" but these are actually "no match for a hybrid attack, where both dictionary and brute force attacks are combined". Make passwords as long as possible to make such attacks more difficult.
Munro also suggests that businesses which force employees to change their passwords every 30 days are actually just forcing them into writing them down and making them more vulnerable to discovery. "It's far better to adopt a strong, memorable password and change this less frequently than plump for a random, hard-to-remember password that's changed every month," he says, adding "corporates should record attempts to log into systems, whether the attempts are over the internet, or against the internal network. By logging failure attempts and setting alarms for more than, say, ten attempts, it's possible to detect automated attacks such as a brute force."
Finally, take the advice of John Safa, CTO for security specialists DriveSentry, who recommends testing your password at SecurityStats (securitystats.com/tools/password.php) to reveal its complexity against a set of general best-practice guidelines. For good measure, your password will also be checked against a hacking dictionary containing commonly used passwords and keystroke combinations.
Author: Davey Winder
From around the web
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on pictures@dennis.co.uk
advertisement
- Mozilla: everyone should learn a little bit of code
- Google mines social network data for semantic search
- Microsoft tweaks multi-monitor support in Windows 8
- Phone sales shrink as consumers await fresh handsets
- Nvidia warns 28nm supply problems continue
- File-fixing tools to improve uptime in Windows 8
- Mozilla: Microsoft blocking rival browsers in Windows RT
- Microsoft developing sound-based gesture control
- Dell working on Ubuntu Ultrabook for developers
- Media Center to be paid-for add-on in Windows 8
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Samsung Galaxy S III review: first look
advertisement
