Thursday, May 24, 2007

Password Security

I spotted this article in PC World magazine which lists the ten most popular passwords. They are
  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. link182
  10. (your first name)
I would expand this list to include such things as your children's/spouses name, company name and a few other common words I have encountered.

To have a secure password it should be a mix of UPPER and lower case letters and some numbers. To make it REALLY secure use some obscure characters like ^ or # or accented characters such as Ÿ. And make sure it's at least 8 characters or longer. It's easier than you think too make one up, use numbers for letters for instance, so peter becomes p3t3r or bill becomes b1ll, use a car registration plate (no not your current car) or something else you can remember or at least work out.

The reason for this is simple, that top ten list (and I would add several myself to that to make at least a top twenty) is well know to anyone who fancies trying to guess you password. On top of that password breaking software will try one of two methods:-
  1. Dictionary Attack
    Where the software literally has a dictionary of words it throws at your password one by one.
  2. Brute Force
    Where the software tries combinations of characters sequentially e.g. it tries a b c etc. then aa ab ac until it reaches it's limits.
Now you'd think that second one would guess ANY pasword but it wont, because of the time it takes to process. A simple example would be if it just tried the 26 letters of the alphabet, suppose it takes 1 second to try each combination then after the first pass with a 1 letter password it's taken 26 seconds, to do all the two letter combinations it takes 26 x 26 seconds, or 676 seconds, to do all the three letter combinations it takes 17,576 seconds and so on.

Obviously computers can process far faster than this, but because the time adds up logarithmically this kind of attack limits itself to common letters, numbers and punctuation, and restricts the length of password it can try.

I must admit this is another reason why I think microsoft DON'T GET SECURTIY as when I created a hotmail account a while ago it wouldn't let me use puctuation in my password! so as far as I was concerned the password I created was insecure.

Now you will be asking, huh, well who wants to hack ME, the fact is they don't want to hack YOU, they just pick off the low hanging fruit in the hope it might be worth it. Have you ever sent something private by hotmail? or simply something you wouldn't want making public?

One company I worked at one of the directors thought he was so clever because when I needed his password he said "it's secret" I thought he meant he wouldn't tell me, so began to explain I HAD to know it or I couldn't log in to his computer to fix it, and he stopped me and said "no, it's 'secret' that's my password" the companies financial information, all highly confidential, was secured by an eminently guessable password! Another company used password 5 on the above list for EVERYTHING, again company confidential information was secured with something easily guessable, AND everyone in the office, some 30+ people, knew what it was!

I did point out how insecure this was and I hope they have since taken steps to fix the problem, somehow though, I doubt it.

Monday, May 14, 2007

well well

Looky here

after yesterdays rant about web sites that don't get things right by using "clever tricks" to do what could be done easier and more properly, I found this posted today on the BBC web site.

What's that phrase about great minds?

Sunday, May 13, 2007

Todays rant

Web designers who decide that instead of perfectly good, standard, ways of doing things, they will use some new trick they've discovered.

Perfect examples of this are sites which use javascript instead of links, so if you decide to right click the link to save it somewhere you just get the javascript, or maybe, because they've used odd javascript, the link just doesn't work. WTF is wrong with the good old a href= style links? they work, they work in ANY browser and they do exactly the same as your fancy javascript!

Pages which don;t display in my browser of choice (opera) again because some twonk has decided to use some fancy arsed "modern" way of displaying the pages which he found on some poncy web 2 site, guess what guys, your site fails to display, I go somewhere else, that loses you a sale! tough titty matey.

I could go on, but standards are standards for a REASON and any web developer who can't grasp that should go and takes up origami or knitting, or anything else!

Of course what they also do, on a more serious note, is run the risk of being prosecuted for discrimination against disabled people, but they never teach that at the frontpage school of crappy web design.