User Names and Passwords

Every computer user is familiar with the obvious inconvenience of user names, accounts or IDs and passwords. If poor passwords are used or good passwords are left or used in a manner so they are accessible by an intruder, passwords present almost no obstacle to intruders.

Nearly all computer systems are delivered or installed with a system administrator account that has total access to everything on the computer. If those account names such as "administrator" on Windows NT and "root" on Unix systems are not changed, and they almost never are, a potential intruder has half the equation of the most valuable access right from the start. If the passwords for these administrator accounts are not good, unauthorized access to the system is trivial to a knowledgeable cracker. If user names or IDs are formed according to a convention, then all a cracker needs is knowledge of that convention and a list of employees to have a significant number of account names to work with.

Historically, if users are allowed to assign themselves passwords, they will use weak passwords that are easily guessed because they pick passwords that are easy to remember. Favorite passwords for users are names, nicknames, and initials of family and friends, combinations and parts of birthdays for family members, names of pets, models of car and words associated with hobbies. There is a widely reported case of crackers gaining multiple user accounts and passwords, simply by passing out an innocent looking "survey" to company employees in the lobby of the company. In any sizeable pool of users some will use their account name as their password, if the system allows it,

Generally good passwords are passwords that are not subject to a dictionary attack. A dictionary attack is performed by passing the words from a dictionary or other list of words including common passwords, through the same encryption algorithm as that used to encrypt the password until the encrypted result matches the encrypted password. Some older UNIX systems make such attacks very simple.

Good passwords generally contain both letters and non letters such as digits, punctuation or symbols. Good passwords contain mixed case letters, one or more digits and one or more symbol or punctuation character. Further, good passwords do not appear in any dictionary or online list of words passwords.

A few really bad passwords that contain both letters and non letters follow: "abc123", "asdfjkl;", "bond007", "hal9000", "happy1", "jordan23", "number1", "seven7", "test1", "thx1138". If you miss why these were bad passwords the first time they were used, they are now bad passwords if for no other reason than they have appeared in widely available lists of common passwords.

Any example of a good password shown to multiple persons or widely disemintated as in a book, immediately becomes a bad password. Also any password that is derived from the account name, such as by adding or removing characters or transposing them, is a bad password.

I once worked at a small government agency where the two top administrators personal accounts had full system administrator privileges. Usernames were simply the user's initials. Both insisted on using very easy to remember and guess passwords. I have forgotten how I came into possession of the top administrator's password which was his last name; even after he was informed that his username and password were known, he refused to change them. I had an opportunity to observe a new outgoing employee who had quickly gotten to know the assistant administrator, guess his password in three or four tries; it was one of his daughter's names. For all practical purposes, this site had no computer security and those responsible for it simply did not care.

The worst security I ever saw was at a client site where the original system administrator account was still used with the original password and given to temporary employees. This company managed the financial affairs of celebrities and their system had more extremely sensitive personal and financial data than any other system I've ever seen. They allowed me to leave their site with a full copy of their database on a removable disk pack. The client list was small, but I recognized most. I was scared to posses such sensitive information, lest I might be the source of a leak. The first thing I did when I got back to my office, before making the system changes that was my job, was to mangle every name, address, phone number, social secuity, bank account, credit card and anything that might identify the client or be used illicitly. I had tried, unsuccessfully, to explain to the client how dangerous their situation was.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in https://geodsoft.com/terms.htm (or https://geodsoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of https://geodsoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.