27. May, 2011
Another reason why security by obscurity is bad: Allied Telesis builds network components. While this page was loaded in your browser, there is a chance that equipment of them was involved somewhere.
Those components have access protection with the common user/password scheme. If you lost your password, the support could tell you the name and password for a backdoor, that is a login that would always work but one that isn’t visible when you, say, request a list of all known users.
Sounds good? It is. Saves a lot of hassle.
The problem? Someone posted the details for all backdoors in the public support section. Which means that crackers all over the globe now have free reign over them.
6. September, 2010
Image via Wikipedia
How secure can a simple password be?
Well, that depends. What do you want to protect and against whom?
Today, there are two main attacks. The first one is by people who are close. Coworkers and relatives. The coworkers need some information or access to some function while you’re not around or because there wasn’t enough money to buy a software license for everyone. The relatives want to spy on you (for various reasons). If your password is something personal, they will figure it out easily enough.
The other attack is by spammers who want to gain access to your computer (to send more spam or to get access to more computers or to your bank account, your credit card number, etc) or your accounts. Credibility (as in Google ranking) can be worth money, so control over a well-known blog or a reputable website is not something a cracker would shun.
These people run professional attacks against logins, so they try words from dictionaries with a few numbers added (like cat123). They have tables with passwords and how often people use them (hint: don’t use 123456 as password).
For big sites, the question isn’t really how “secure” the passwords are but how often they are used. If every password was different, it would be much more effort for attackers to crack enough accounts to make the attempt worthwhile.
That means passwords could be simple enough to remember. As they should be. Or people will have to write them down somewhere — we’re not computers. Which remember everything perfectly. Unless the last backup didn’t work. Or a virus comes along. Or someone makes a mistake.