If I was to take the one thing from that class that stood out from the rest, it was the terror that the college student teachers instilled on us: NEVER SHARE YOUR PASSWORD WITH ANYONE!!!! I mean, they really made a point of this. I was all of 9 years old when they snapped this rule to my spine, and the echoes of the lesson have reverberated in my nervous system through time until the present day. I recall one of the teacher's passwords was several dozen characters long, which he said was a biblical passage he memorized. His fellow teachers snickered that this was "slightly overkill" but I'll never forget the speed at which he'd type something like "4nd_th3_34rth_w4z_without_form,_4nd_voi
Forward ahead to 1988. I started into the BBS word, and always was frustrated that the passwords I chose were limited. Much of the software had a maximum 8 character length for logins and passwords, and wouldn't accept spaces, punctuation, or even in a few cases, numbers. Most were not case sensitive, so TOMHUDZN was the same as tomhudzn or TomHudzn. This improved rather rapidly, but you never knew what version of WWIV, Bearcat, or NiteLite you were logging into, and what they would accept.
I never gave out my password. My feeling was if the sysop needed it, he could change it at will, or read it from an insecure text file. That's a lesson from my UNIX days. But it amazed me how many people would give out their password at any given time. There were always accounts that got hacked. Having seen some of these text files, it's no wonder. The passwords were so flippin' simple to guess. Here are the Top Ten Passwords used, according to admins:
1. No password at all (just hit "enter")
2. The word "password"
3. Cartoon characters (Homer, Road Runner, Mickey Mouse, Dilbert)
4. Football team or player's name
5. Pet's name
6. Astrological sign
7. First love, boyfriend/girlfriend's name
9. Any sci-fi or fantasy characters (Gandalf, Frodo, Jedi, Wookie, Hercules)
10. Company name
I have seen a dictionary cracker in action. Many people think doing stiff like "g4nDa1F" makes your password real hard to crack. Bzzzt. Try again. In fact, any letter/number/punct combo under nine characters is used. Even nonsense stuff like fQ2_6;z# is in that dictionary. The issue for hackers is, every character over eight pretty much multiplies the number of attempts on nonsense by 94 (the useable ASCII characters codes are 32 to 126). To guess nonsense, roughly for each character, they have to multiply the number of attempts by one power. One character is a paltry 94 guesses. Two is 8836 attempts. Three is over 830,000. Eight is over six quadrillion combinations. But they don't have to use nearly so much because a majority of people (even the best sysadmins) use only spaces, periods, hashes, underscores, and the "@" symbol. That reduces the number from 94 to 57. Plus, a majority base it on real words, which sharply reduces the number of tries that need to be made. Keep in mind, if the hacker actually has physical access to your machine, he or she can brute force a dictionary attack for about 1000 words/second (depending on processor speed). Most of the sophisticated hacker dictionaries are not alphabetized, but have the most common stuff up front. I have seen such dictionaries on a Linux box crack most passwords in about 3-4 minutes. Again, this was done from a bootable CD-ROM on a compromised Linux box, so the guy demonstrating had physical access to the machine. Dictionary attacks against an online account are so slow (often they can't do more than 3 in one minute, and sometimes after 3 bad attempts, the account gets shut down), they might as well not be worth it. But how do you know that box you are logging into hasn't been physically compromised? And is that password unique, or do you share the same password over multiple accounts?
My friend VB got stung this way back in the BBS days. She had a stalker who was a sysop on another board. He got her password off his board, and then used it for the other BBSs around the area. He posted a lot of stuff pretending to be her.
Where I work, since we do sensitive stuff, our accounts are always being attacked. Our logins are multilayered, and sealed with SecurID. But they still try to get in. A SecurID token is good for about 30 seconds, so they try and "phish" for our password and token by simulating logins. Some are quite good attempts.
And that leads to why I started writing this. Today was a series of bad attempts. Usually, the attempts are slightly more sophisticated, so I am not sure if this person was drunk, or a decoy for something else, but here's some I got in my mailbox today (names and e-mail have been changed):
Subject: Attention company employee
this is gern blanston from corp hq, we are conducting an audit and need your password emailed to us at email@example.com as soon as possible. there have been some problemz with the system. please give us your securid too. thanks, gern. opersec
Subject: AIM Address Change
Reply to this e-mail to confirm your e-mail address change from
firstname.lastname@example.org to ABhardwajcsc@spoofed-email.com. In the reply, type \'OK\' as the text of your
The change will affect the screen name tied to this e-mail address:
Please take a moment to return your confirmation now. It will take up
to 72 hours to confirm your new e-mail address. If you do not want to
confirm this address as your new e-mail address do not reply, and no
changes will take effect.
You can also cancel the update within 72 hours of submitting the update
request, by following the directions in the confirmation e-mail sent to
your old e-mail address.
Thank you for using the AOL Instant Messenger(SM) service.
Subject: HEY READ THIS RIGHT NOW DAMMIT
YOU LITTLE FRUITCAKEMOTHER FUCKERS IM GONA RAPE UR KIDZ AND FUCKING SMASH YOUR DOMES IN YOU LITTLE BITCH I HATE YOU SO MUCH IF U GOT BALLS YOULL IM ME ON email@example.com YOU FUCKING FAGGET ASS BITCHES. WHY DONT U LET UR MOM BEND OVER AND GET BUTTFUCKED BY SOME GORRILLA YOU JAPPANESE FUCKING QUEER. IF I EVER SEE U, IMA FUCKN SLAP THE TASTE OUT OF UR MOUTH FUCKING LOSER!!!
This series was repeated over several e-mails and AIM accounts all morning. Now, obviously, this was a script of some kind. But I wonder what the designer was thinking?
1. Attempt to gain login and SecurID by pretending to be corporate
2. Attempt to gain login and SecurID by pretending to be whomever runs AOL Instant Messenger
3. Attempt to gain login and SecurID by sheer intimidation