User Names and Passwords
Every computer user is familiar with the obvious inconvenience of user
names, accounts or IDs and passwords. If poor passwords are used
or good passwords are left or used in a manner so they are
accessible by an intruder, passwords present almost no obstacle
Nearly all computer systems are delivered or installed with a
system administrator account that has total access to everything
on the computer. If those account names such as "administrator"
on Windows NT and "root" on Unix systems are not changed, and
they almost never are, a potential intruder has half the equation
of the most valuable access right from the start. If the
passwords for these administrator accounts are not good,
unauthorized access to the system is trivial to a knowledgeable
cracker. If user names or IDs are formed according to a
convention, then all a cracker needs is knowledge of that
convention and a list of employees to have a significant number
of account names to work with.
Historically, if users are allowed to assign themselves
passwords, they will use weak passwords that are easily guessed
because they pick passwords that are easy to remember. Favorite
passwords for users are names, nicknames, and initials of family
and friends, combinations and parts of birthdays for family
members, names of pets, models of car and words associated with
hobbies. There is a widely reported case of crackers gaining
multiple user accounts and passwords, simply by passing out an
innocent looking "survey" to company employees in the lobby of
the company. In any sizeable pool of users some will use their
account name as their password, if the system allows it,
Generally good passwords are passwords that are not subject to a
dictionary attack. A dictionary attack is performed by passing
the words from a dictionary or other list of words including
common passwords, through the same encryption algorithm as that used
to encrypt the password until the encrypted result matches the
encrypted password. Some older UNIX systems make such attacks
Good passwords generally
contain both letters and non letters such as digits, punctuation
or symbols. Good passwords contain mixed case letters,
one or more digits and one or more symbol or punctuation
character. Further, good passwords do not appear in any dictionary or
online list of words passwords.
A few really bad passwords that contain both letters and non
letters follow: "abc123", "asdfjkl;", "bond007", "hal9000",
"happy1", "jordan23", "number1", "seven7", "test1", "thx1138".
If you miss why these were bad passwords the first time they were
used, they are now bad passwords if for no other reason than they
have appeared in widely available lists of common passwords.
Any example of a good password shown to multiple persons or
widely disemintated as in a book, immediately becomes a bad
password. Also any password that is derived from the account
name, such as by adding or removing characters or transposing
them, is a bad password.
I once worked at a small government agency where the two top
administrators personal accounts had full system administrator
privileges. Usernames were simply the user's initials. Both
insisted on using very easy to remember and guess passwords. I
have forgotten how I came into possession of the top
administrator's password which was his last name; even after he
was informed that his username and password were known, he
refused to change them. I had an opportunity to observe a new
outgoing employee who had quickly gotten to know the assistant
administrator, guess his password in three or four tries; it was
one of his daughter's names. For all practical purposes, this
site had no computer security and those responsible for it simply
did not care.
The worst security I ever saw was at a client site where the
original system administrator account was still used with the
original password and given to temporary employees. This company
managed the financial affairs of celebrities and their system
had more extremely sensitive personal and financial data than any
other system I've ever seen. They allowed me to leave their site
with a full copy of their database on a removable disk pack.
The client list was small, but I recognized most. I was scared to
posses such sensitive information, lest I might be the source of
a leak. The first thing I did when I got back to my office, before
making the system changes that was my job, was to mangle every
name, address, phone number, social secuity, bank account,
credit card and anything that might identify the client or
be used illicitly. I had tried, unsuccessfully, to explain to
the client how dangerous their situation was.
Top of Page -
Copyright © 2000 - 2012 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or terms.pl) from the time of the distribution.
Distribution of substantively modified versions of GeodSoft content is
prohibited without the explicit written permission of George Shaffer.
Distribution of the work or derivatives of the work, in whole
or in part, for commercial purposes is prohibited unless prior
written permission is obtained from George Shaffer. Distribution in
accordance with these terms, for unrestricted and
uncompensated public access, non profit, or
internal company use is allowed.