MS honeypot research sheds light on brute-force hacks Microsoft's honeypot-based research has highlighted common password mistakes, as well as shedding light on automated hacking techniques. Attack data collected from an FTP-server honeypot revealed that most attacks attempted to log into administrator accounts (Administrator and the French equivalent Administrateur were by far …
Obviously many attackers are using a well known password.lst file as the basis of their attacks.
This file starts:
#!comment: This list has been compiled by Solar Designer of Openwall Project,
#!comment: http://www.openwall.com/wordlists/
#!comment:
#!comment: This is a list of passwords most commonly seen on a set of Unix
#!comment: systems in mid-1990's, sorted for decreasing number of occurrences
#!comment: (that is, more common passwords are listed first).
#!comment:
#!comment: Last update: 2005/12/16 (3107 entries)
or similar, then has a list of passwords.
So I think that there may be a certain amount of "parsing fail" on the part of the attackers, they're treating the comment lines at the top of the file as entries and using them as the basis for break-in attempts in addition to the proper entries in the file.
"A password-checking tool developed by Microsoft (here) allows users to check on the strength of the passwords they pick"
Try as I might, I could not bring myself to type a real password into the box. The more I thought about it, the more it felt like some kind of gullibility test.
'Microsoft found that 90% of users entered a valid password on their password checking page without even attempting to negotiate some sort of chocolate reward. "What a bunch of numpties" commented a despairing Bill Gates.'
It took them 1 year to come to this? I have some very innocent server sitting at home and can get to those conclusions in a week. Actually not anymore as fail2ban is doing very good job nowadays ;)
Have a server online - have tons of attacks. Simple as that. Strong passwords should be a norm, unless you're US Military and want to invite some UFO seeking guys ;) Banning users after few unsuccessful attack also. Port stealthing, and so on. Any admin worth their pay knows this. Sadly not many MCSEs... (yeah, I'm one, still prefer Linux)
#!/usr/bin/perl
# Read number of characters to output from command line
$num = $ARGV[0]*1;
@chars = qw(0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z);
# We select chars from "@chars", thus one selection corresponds to:
{
my $bits = log(@chars)/log(2)*$num;
my $byte = $bits/8;
print "Outputting $num chars, which corresponds to $byte byte\n";
}
# Open /dev/random and read stuff
open(RAND,"</dev/random") or die "Could not open /dev/random for reading: $!";
$max = @chars;
{
use bytes;
for ($i=0;$i<$num;) {
my $read = sysread(RAND,$raw,1);
if ($read != 1) {
die "Got stop\n"
}
else {
$x = ord($raw);
if (0<=$x && $x<$max) {
print "$chars[$x]";
$i++;
}
}
}
}
print "\n";
Or: perl -we 'open(D,"<:raw", "/dev/urandom"); foreach (1..8) { do { read(D, $c, 1); } until ($c =~ /[a-z0-9]/i); print $c; } print "\n";'
Generally you're better off using /dev/urandom than /dev/random: it's not genuinely random, but it's cryptographically as strong as lots of other maths you already depend on, and it won't block.
By the way, is there any point to this advice about mixing upper and lower case? Even if you use a totally random mixture of cases in an 8-character password you've added less entropy then you'd get by adding a couple of random extra letters, but the extra letters would be easier to remember and easier to type. So perhaps, if you're using a randomly generated password, you should use just lower-case letters and make the password a bit longer, say 11 characters instead of 8.
I generated a bunch of random decimal numbers of lengths from 200 to 3600 digits, and asked it what it thought of them. It rated them all as 'weak'.
If microsoft believe a 3600-digit decimal number is easily guessable, that could explain why we have to buy new bloody computers every ten bleeding minutes to keep up with the exponentially-growing amount of crappy bloatware in their products. I can imagine the reasoning on their dev teams:
"Include a pre-startup process that solves the halting problem? Sure, why not, the suckers will just think it's time they got a faster cpu yet again. We'll slap a sticker on it and call it 'NP-ready' or something - leave marketing to worry about the details."
Many organisations almost insist on weak passwords: by irrational devotion to password expiry, which has to be one of the most overrated security policies. The more important you are 'technically', the more passwords you have to remember. And quite often the IT support services will give the same person the same username on different environments, meaning that using similar passwords is more risky. Add a frequent expiry policy and you have a recipe for disaster: either passwords get too simple, or they get stored.
Can we have a campaign to bury password expiry please?
Equally as awful is an overly descriptive password policy coupled to this.
One I saw stated that your pwd had to be at least eight chars including both upper and lower case and at least one number.
I pointed out that my guess, as it was a mixed "green screen" UNIX and PC environment, would be that 99% of them would be a dictionary word of seven letters with the first capitalised and either a "1" or a "0" on the end. The number of red faces amongst the sekkuritty dweebs round the table when I came up with that statement was very scary indeed.
Personally, I take advantage of my admin rights to reset my passwords to the same thing before they expire -- then think of a better password at my own leisure.
I take issue with the "you must never make a note of your password" type "rules" -- it's perfectly OK to make a note of passwords -- just guard them the same way you would your credit card, cheque book, or keys.
Personally, I make a note of my (non-banking) passwords and store it in my wallet (without usernames or any explanation of what they are) -- that way if my wallet goes missing I can just reset my passwords while I'm on the phone to the credit card company.
I work for a global multi mega corp over here in the UK and recently the Password policy for the intranet was beefed up (we still use IE6 on XP!) so I tried to set my new password to something along the lines of this:
six letter word spelled backwards _ number number
OK, so it wouldnt accept that regDab_36 was a strong enough password so I tried several other six and even seven letter words, varied the upper and lower case, special characters and numbers and I couldnt get anything to work. I then tried Pa$$word for a laugh................
Now when this got accepted (with a "Strong" in the password strength display) I couldnt beleive it so I actually contacted the Intranet security team and told them. Their response? Because the dictionary word was broken in the middle with special characters it was essentially a strong password. I asked them if they read any articles on hacking because I beleived that Password and variants (pa$$word, p@ssword, pas$w0rd) etc would be up in maybe the top 10 to 20 things to try but they told me that no, my password was good and secure!
I have to change it again this month, I wonder if I could use Pa££word for the next three months?
Anon because I dont want any crims breaking into my company intranet!
So let me get this straight -- Microsoft, in an effort to make my passwords more secure, is offering a tool for testing candidate passwords that is basically A WEB PAGE??? This is a Very Bad Idea for so many reasons, it's impossible to list them all. Just a few that occur to my paranoid brain right away:
1) Does the tool send my password over the 'Net to check it? Is it even encrypted? (The site isn't even https://...) What IS the tool, really? Can we audit its source? Can we trust it?
2) How do I know WHAT they're doing with my proposed passwords? If they store them, even anonymized for statistical purposes, their tools site (hosted, no doubt, on Windows, the world's most secure OS <snort>) just became Cracker Target Number One, as a gold mine of new dictionary entries for attack tools. (Hey, mebbe that's why MS built it to start with, to generate new strength-testing dictionaries.)
3) Let's say some evil genius manages to crack their server and edits the tool to report who has tested what passwords. We'll never know until/unless someone gets pwned because of this, traces it to the altered tool, and does a forensic analysis of the tool itself. In other words, we'd probably never find out.
Yep, sounds like a really good idea to me. I can't wait to test ALL my passwords with it. NOT!
It clearly says on that page that it send your password over the internet. It's just a JavaScript app, you can read the whole thing here if you like:
https://www.microsoft.com/protect/assets/scripts/passwdcheck.js
I was surprised to see it does actually have a small dictionary built in, because it seemed like it was going by character composition almost exclusively.
I've just followed the create a strong password link on the MS page and about two thirds of the way down it states
-----
Avoid using only look-alike substitutions of numbers or symbols
Criminals will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd".
-----
Both of which are rated as strong by their password checker.
maybe you want to find what a honeypot is.
It's desgined to attract compromised pc's. A/V vendors use them, Anti-malware vendors uses them, MS uses them, and I really hope Linux teams use them.....you'll find Linux based sites are equally attacked by Windows pc's.
Now go back to sleep....
This post has been deleted by its author
The fundamental problem is that the people defining "password strength" [1] can't do arithmetic and [2] are stuck in the past. They don't understand what contribution symbol space and field size actually make to the equation so they just go for what "looks complicated", and their assumptions about brute forcing are based on decades-old histories of offline cracking of UNIX password files, which is not the main current threat.
The two greatest single strength factors against brute force at a user interface are limited retries and backoff time. After that, non-obvious password choice (e.g. not "password"). I always recommend an acronym of a private but memorable phrase at least eight words long. The user doesn't have to remember a complex string of arbitrary characters (something our brains are generally bad at). Instead she remembers the phrase (something our brains are quite good at) and reconstructs the password each time she needs it by repeating the phrase to herself as she enters the password.
Assuming nothing but lower case letters, that yields roughly 2x10^11 (2 followed by eleven zeros) possible passwords, and the vast majority will not be dictionary words (unless you intentionally choose a phrase that has a dictionary word as an acronym). So let's arbitrarily and pessimistically throw away half of them to allow for bad choices. It's still 10^11. So statistically a brute forcer will need to make around 5x10^10 attempts. Limit the login interface to three failed attempts per, say, 15 minute interval or 12 per hour, and it will take about 490 thousand years on average to break in. By then you should have had some kind of admin alert from the system.
If you type in #!comment: into Microsoft's password checker it declares it "medium strength"
How could the author have overlooked Microsoft being so dumb as to not include their own list of the 5 most unsafe passwords on their own password checker!!! It's a gift.
Using insecure facilities to test passwords, WTH?
Do MS give a damn at all? I'd be a little more convinced if a) altering a password by adding one digit did not have such a significant effect on the test result (as already observed) and b) they cared enough to use https.
Disappointed, very, I am, Yoda.
Posted Friday 4th December 2009 09:50 GMT
Many sites restrict their passwords to 6 or 8 letters and digits which means you can never be secure there, so beware.
Often recommendations suggest gobbledygook such asg$@hj48(tHy^. These are hard to remember, and may also be subject to bias in choosing patterns on the keyboard - yes crackers do look for such patterns. Note, also, that a determined cracker with enough computing power can crack *any* password - we can only try our best.
Here are illustrative strong(ish) passwords. I leave it up yo you to discover how each construction may be remembered
la1-di2-da3!
!sho-@meh-#ow$
hum+pty)dum(pty*
line=egbdf&space=face
deli-cat-ess-en
Make your own. It's not that hard.
The Password Strength Meter may help. It failed some of the above :{
http://www.passwordmeter.com/
This post has been deleted by its author
Select at least three of the following
uppercase, lowercase, numerics, other characters
Use at least one from each group to make a fourteen character password, eg
Qw111111111111
Eight characer passwords are considered strong, eg Qw111111, which includes Pa$$w0rd mentioned previously.
XYZZY makes "pronouncable passwords", which are much easier to type than random gobbledygook. It is thus easy to create and type 10 or even 12-character passwords.
e.g:
litfulportne
phreplewaint
cordantishus
Get it from http://www.brothersoft.com/xyzzy-for-windows-download-90643.html
The original Haxial.com link no longer works.
I work for an IT firm who do an awful of pen-testing for our customers and recently we ran an off the shelf password cracking tools on our own network. I'd love to say we passed muster but the fella who left the scan running overnight, expecting it to take days found it had discoverd over 50% of our users' passwords about 15 hours!!
According to him and other flokes I've spoken to your password's not secure unless it's 14 characters or more and is not one or more dictionary words, and that includes special character substitution e.g. S - $, a - @, i - 1 etc. It's dead easy to find a tool that runs a dictionary attack, then runs it again substituting 1's for i's 0's for o's etc.
The most frustrating thing is the limit for my online banking is 12 characters, none special and then MS failing to preach the proper mantra, built from scratch with security in mind my a**e!!!
The problem with strong passwords is that you inevitably have to store them somewhere, especially if you have to have a different password for every application and even more so if you are forced to change your password every 45 days or so. So of course you keep all your passwords in some highly insecure file somewhere!
When I worked for a large mega-corp (that's since dwindled away to nothing) the password checker banned any password containing a "dictionary word". The dictionary must have contained words I never heard of, but missed out common English words where the American speling was different! The big problem with this strategy is that if you can identify the dictionary words it dramatically cuts down the number of combinations you need to try in a brute force attack.
The 3 strikes and your blocked rule works pretty well for signing onto corporate IT servers.
I know that each bot in a botnet will have a seperate (spoofed ?) IP address but do they normaly spread their attemps out so much that each attempt will lok like a "first" attempt?
Also this behaviour seems a lot like a DDoS attack. Would the measures taken to counter one of those work quite well here?
I guess the long term solution would be to figure out which is the most commonly compromised computer type by OS and tighten up it its OS security. That would free up (IMHO ) a *lot* of bandwidth.
Does anyone know which OS that would be?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
