Posted by: Ken Harthun
Networking, Password, Security, Security maxim
In my last post, I stressed the importance of changing the default username and passwords of all configurable network devices. That’s good advice. But a weak password, one that is easily guessable, is almost as bad as no password. Far too many people use a password that’s obvious; i.e., given some basic information about the person, a determined hacker could easily guess it without too much effort.
I have two clients, both of which generate some serious confidential data, who set up initial passwords for new users in the form password.2008 or changeme. (Thankfully, I recently convinced both of these clients to implement password policies!) I’ve been able to use basic observation and small talk to guess users’ passwords about 20% of the time. The first thing I try is a blank password–you’d be surprised how often that works, especially for home users. Next, I’ll try the user name, the spouse’s name or “password.” I may try a couple of other things, like “123456,” “asdfjkl;” or, believe it or not, “********.” Usually, though, I just ask them for the password and they give it to me.
According to Wikepedia there are several things many people use as passwords that results in their being predictable:
Repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:
- blank (none)
- the word “password”, “passcode”, “admin” and their derivates
- the user’s name or login name
- the name of their significant other or another relative
- their birthplace or date of birth
- a pet’s name
- automobile license plate number
- a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.
- a row of letters from a standard keyboard layout (eg, the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)
So, if you want to protect your router and the other devices on your network, never use anything from the above list and apply Security Maxim #4: Use an unguessable, or difficult-to-guess password always.
Next time: How you can do everything right and still be vulnerable to attack.