Password Selection
By: Netcrash

When I audit the security of a network, one of the first things that I do is look at
the password selection policy. Most good administrators have laid down strict
guidelines on the selection of passwords. Passwords are the forefront of network
security. Why bother putting a $50,000 firewall in place if the password could be
cracked in minutes by a 12 year old? We must take steps to improve network
security. A good way to do this is select better passwords.

Primary criterion for a good password is:

It must be at least 6 characters long preferably 8. Contain mixed case, numeric, and
symbolic characters. Privileged passwords should also include at least one
non-printable ASCII character. Recommended for administrators. Passwords should
be selected that are not easily linkable to the user. Example, user MaryAnn has her
password as MARY123. Passwords should be short enough so that the common user
is not required to write it down. Believe you me folks, written down passwords have
been the downfall of many systems.

Analysis on password selection:

Good passwords are a start, but they are not completely fool proof. A good hacker
can still find ways to bypass passwords. The company must put into place policy
that prevents “social engineering” of passwords. I have heard stories of hackers
calling into a company and posing as the administrator to gain privileged passwords.
Ideas for company wide policy include:

Users should not be permitted to write down their passwords anywhere. There
should be no hard copies of password and username listings posted ANYWHERE.
This is just asking for trouble. Passwords should not be recycled from one user to
another. This means that once a password has been used, it should not be used
again for several years. Some companies simply rotate their users through a static
list of passwords. All a hacker would have to do is acquire this listing and use it to
brute force the password of a privileged user. Users should be instructed to NEVER
under any circumstances give their passwords out to anyone over the phone, email
or chat. If it should become necessary to communicate this information, the
compromised passwords should be changed as soon as possible.

Upon the suspicion of passwords being compromised, the entire collection of
company passwords should be changed. This would limit the time that a hacker
would have to implement a backdoor into the system. The system should also be
checked for these back door programs. Go to a hacker site and download a password
list, run your company passwords against it and disallow the use of any password
found on the list. Remember that an ounce of prevention is worth a pound of cure.
The few minutes enforcing good passwords will save you possibly hundreds of hours
repairing damages caused by a malicious hacker.

This listing was taken from a popular hacker document on how to brute force a
password. Take heed of it and do not allow passwords like these to go on your
system!!!

1) Relating to the person's real name, in some form or the other

RealName: John Doe
PossiblePW: doe, johndoe,jdoe,jd,johnd,john doe, doejohn,

2) Relating to the person's handle, in some form or the other

Handle: Victim
PossiblePW: victim, vic, vict, etc.

3) A combination of the person's real name and handle, in some form or the other

RealName: John Doe
Handle: Victim
PossiblePW: johndoevictim, jdvictim, jdv, johnvictimdoe

4) A combination of the person's real name and handle, along with a friend's

real name, and maybe handle.
RealName: John Doe
Handle: Victim
Friend'sRealName: Harry Hailey
Friend'sHandle: Fuckup
PossiblePW: johndoevictimharryhaileyfucup, jdvhhf, jdvhhfup,

5) A person that the victim is interested in, e.g. a boy/girlfriend, someone

he/she has an eye for, etc.

RealName: John Doe
MateHopeful: Janet Dove
PossiblePW: janet, johndoeandjanetdove, j&j, etc.

6) A combination in some form of another of the person's phone number.

RealName: John Doe
PhoneNumber: 212-555-9099
PossiblePW: 9099, 2125559099, 5559099, 212, etc.

7) Name of BBS

RealName: John Doe
BBS Name: Crappy BBS
PossiblePW: crap, crappybbs, bbscrap, etc.

8) A combination of BBS name and user name, user data, etc.

RealName: John Doe
BBS Name: Crappy BBS
PossiblePW: crapjdoe, jdoecrap, johndoeatcrappybbs jd@cbbs

9) Mother's maiden name:

Real Name: John Doe
Mother's Maiden Name: Janet Ho
PossiblePW: johndoejanetho, janetho, ho, etc.

10) InterNet Address

Real Name: John Doe
InterNet Address: j.doe@crapbbs.com
PossiblePW: j.doe@crapbbs.com, j.d@c.c, etc.

11) School Name

Real Name: John Doe
School: Faggot High School

PossiblePW: faggot, jdfaggot, jd@faggot, etc.

12) The name of someone they hate:

Real Name: John Doe
Person Hated: Des Meanie
PossiblePW: Des, Meanie, Desmeanie, etc.

13) A place where they live.

Real Name: John Doe
Borough of Home: Brooklyn
Possible PW: Brooklyn, jd@brook, etc.

14) Combinations of the above

In conclusion, although passwords are not even close to totally fool proof, they will
keep the script kiddie hackers out and deter other hackers from attempting to crack
your system. There are many ways other than brute forcing a password to
compromise a system. Still, passwords are the forefront of security and they should
be treated as such.

Reference(s):

For a listing of the ASCII table, visit this site www.delanet.com/~pparish/ascii.htm.

Selections included from:

Vortex[HIT], HIT Inc. Guide to password cracking.