Printed from www.pcpro.co.uk
6. Flex test your passwords
Posted on 12 May 2008 at 15:06
Passwords remain one of the weakest links in the security chain simply because so many people overestimate the strength of their passwords and underestimate how easily they can be discovered. The notorious hacker collective known as the Cult of the Dead Cow recently released a tool called Goolag (www.goolag.org) that makes it easy to turn Google into a password-cracking engine.
Indeed, even without Goolag, it's possible to reveal a list of usernames and passwords for websites created using Microsoft's FrontPage, where the password files have been left readable, simply by searching for "inurl:service.pwd". Try it - if that doesn't make you take your password security more seriously then you really do need a good slap.
As Tony Fogerty reminds us, "there are lots of password-cracking tools such as Cain & Abel, LophtCrack, John the Ripper and Hydra" and you can use these against your own system to see how strong your choices really are. Better still, take the advice of Ken Munro, managing director at penetration testing consultancy SecureTest, who warns that people are fooled into thinking that passwords formed by the substitution of numbers for letters are "more secure" but these are actually "no match for a hybrid attack, where both dictionary and brute force attacks are combined". Make passwords as long as possible to make such attacks more difficult.
Munro also suggests that businesses which force employees to change their passwords every 30 days are actually just forcing them into writing them down and making them more vulnerable to discovery. "It's far better to adopt a strong, memorable password and change this less frequently than plump for a random, hard-to-remember password that's changed every month," he says, adding "corporates should record attempts to log into systems, whether the attempts are over the internet, or against the internal network. By logging failure attempts and setting alarms for more than, say, ten attempts, it's possible to detect automated attacks such as a brute force."
Finally, take the advice of John Safa, CTO for security specialists DriveSentry, who recommends testing your password at SecurityStats (securitystats.com/tools/password.php) to reveal its complexity against a set of general best-practice guidelines. For good measure, your password will also be checked against a hacking dictionary containing commonly used passwords and keystroke combinations.
Author: Davey Winder
advertisement
- £90 million buys South Yorkshire 25Mbits/sec broadband
- Twitter ready to splash out... and run ads
- LogMeIn Express offers fuss-free screen sharing
- Kindle calms customers with library update
- Photoshop app arrives on Android
- Google: we won't remove "disturbing" Obama image
- Internet Explorer hit by zero-day misery
- Sky Player shows up in Windows 7
- Tweetlevel reveals most influential Twitterers
- Apple "refuses to repair smokers' Macs"
- Need a bit of extra Christmas cash? Grass up your boss, says BSA
- Photoshop Mobile on Android review: first look
- ATI Radeon HD 5970: 42% more expensive in the UK
- Office 2010 Beta – 32-bit or 64-bit – The Choice is Clear
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
