password hack chain hack passwordBy Phil Robinson

A few months back we had a client’s network compromised by a former employee, stealing information for a competitor. This network had a high end firewall, an encrypted wireless network, and security measures in place to prevent something like this from happening, yet it still happened.

It happened because people don’t like to remember a lot of passwords. I can’t say I blame them, I think we’re all guilty of using the same password all over the place sometimes for years. Unbeknownst to me, everyone in this company new the boss’ password. It’s the same password he used on everything, which forced him to let others know what it was so they could do things like configure the security system, login to web sites, setup the phones, etc. This ex-employee used that password to login to their system after he was released, and downloaded critical data he used to better his position where he was working for a competitor.

I showed him how to change his password after this employee was let go, which he did. However, putting a “1” at the end of the existing password in my mind doesn’t constitute a password change.

I can’t stress enough the importance of complex passwords. Sometimes we will setup a new server for a client who has never had passwords before, and they complain like crazy that I’m forcing them to have a password to sign in, especially complex ones. To them I say, “wah.” A complex password must include 3 out of 4 character types: uppercase, lowercase, numbers or symbols. If you are using a password that doesn’t meet these requirements, I suggest you change it. Hackers can perform what are called dictionary attacks, where a program will automatically try every word in the dictionary with your username, attempting to get to your data. Complex passwords aren’t in the dictionary, and are harder to crack with other types of attacks as well.

If you have a server in your office, changing your password can be easy. Simply press ctrl-alt-del all at once. If you see a change password button, click it and follow the instructions. For machines without a server, the password can be changed in the control panel, under the users section. It is especially critical for server based networks, as one password could protect access to your machine locally or remotely, as well as access to email or other data.

Don’t put it on a sticky note underneath your keyboard either.

Its not difficult to make an existing password meet complexity requirements, just change a lowercase letter to uppercase, through a symbol at the end, and your password becomes complex, and hopefully you can still remember it. Changing it at least every 6 months or so is not a bad idea either. Even if you don’t think you’re data is worth protecting, think of the damage it could do in the wrong hands.

Top 7 password mistakes:

  1. Leaving it blank – or using “password”, “1234567”, abcdefg – these are all so unsecure you might as well leave it blank
  2. using your birthday – Duh
  3. using your dogs name – after years of working in tech support I would say this is the most common password.
  4. reading this post and then changing it from fido to fido1
  5. writing your new password on a sticky note the puting it on your screen or under your keyboard
  6. Using the same password for years
  7. sharing it – just type it in, don’t tell everyone.

Original article, written by Phil Robinson from I.T.Now.net (See the original article) on Dec.30, 2008