Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses.
Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee’s virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.
Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words “Creating Password Cracking Dictionaries”, without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.
Below is a list of commonly used weak passwords that should NEVER be used. If any of these passwords look hauntingly familiar and are being used, you need to change the password immediately.
| Alpha< d>
| Weak Passwords< d> < r>
|
| A< d>
| a, A.M.I, A52896nG93096a, aaa, aammii, abc, abcd, academia, academic, accept, access, ACCESS, account, accounting, action, adam, ADAMS, adfexc, adm, admin, ADMIN, Admin, admin2, administrator, Administrator, adminttd, ADMN, admn, adrian, adrianna, adtran, adult, Advance, ADVMAIL, aerobics, alfarome, ALFAROME, ALLIN1, ALLIN1MAIL, ALLINONE, aLLy, ALLy, alpha, AM, AMI, AMI!SW, AMI.KEY, AMI.KEZ, AMI?SW, AMI_SW, AMI~, AMIAMI, AMIDECOD, amipswd, AMIPSWD, AMISETUP, anicust, anon, anonymous, any@, ANYCOM, AP2SVP, aPAf, APL2PP, APPLSYS, APPS, AQDEMO, AQUSER, ARCHIVIST, Asante, ascend, Ascend, asdf, asdfgh, at4400, attack, AURORA$ORB$UNAUTHENTICATED, AURORA@ORB@UNAUTHENTICATED, autocad, AUTOLOG1, Award, award, AWARD?SW, AWARD_SW, awkward < d> < r>
|
| B< d>
| BACKUP, BATCH, BATCH1, BATCH2, bbs, bciim, bciimpw, bcms, bcmspw, bcnas, bcnaspw, bell9, BIGO, bin, bintec, BIOS, BIOSPASS, biosstar, biostar, Biostar, BIOSTAR, BLAKE, blue, bluepw, boss, BRIDGE, browse, browsepw < d> < r>
|
| C< d>
| c, cablecom, cable-docsis, CAROLIAN, cascade, CATALOG, cc, CCC, ccrusr, CDEMO82, CDEMOCOR, CDEMORID, CDEMOUCB, central, CHANGE_ON_INSTALL, changeme, checkfs, checkfsys, checksys, CHEY_ARCHSVR, circ, cisco, Cisco router, CLARK, client, CLOTH, cmaker, CMSBATCH, CMSUSER, CNAS, COGNOS, Col2ogro2, comcomcom, COMPANY, Compaq, Compleri, computer, CONCAT, condo, CONDO, Congress, CONV, CPNUC, CPRM, cr0wmt 911, craft, craftpw, Crystal, CSPUSER, CTX_123, CTXDEMO, CTXSYS, cust, custpw, CVIEW < d> < r>
|
| D< d>
| d.e.b.u.g, d8on, daemon, Daewuu, Database, databse, DATAMOVE, Daytec, DBSNMP, DCL, DDIC, death, debug, DECMAIL, DECNET, default, DEFAULT, Dell, DEMO, demo, DEMO1, DEMO8, DEMO8, demos, deskalt, deskman, desknorm, deskres, DESQUETOP, dhs3mt, dhs3pms, diag, diamond, DIGITAL, DISC, disttech, D-Link, dn_04rjc, dni, DS, DSA < d> < r>
|
| E< d>
| EARLYWATCH, echo, EMP, enable, eng, engineer, enquiry, enquirypw, enter, ESSEX, EVENT, Ezsetup< d> < r>
|
| F< d>
| fal, FAX, fax, FAXUSER, FAXWORKS, FIELD, field, FIELD.SUPPORT, FINANCE, FND, foobar, friend, ftp< d> < r>
|
| G< d>
| g6PJ, games, ganteng, GATEWAY, GEN1, gen1, GEN2, gen2, glftpd, gnumpf, god, godblessyou, gonzo, gopher, GPLD, gropher, guessme, guest, GUEST, Guest, guest1, GUESTGUE, guestgue, GUESTGUEST< d> < r>
|
| H< d>
| h6BB, hacker, halt, HARRIS, hax0r, HELGA-S, HELLO, hello, HELP, help, HELPDESK, HEWITT RAND, hewlpack, HLT, home, Home, HOST, HP, hp, HPDESK, HPLASER, HPOFFICE, HPOFFICE DATA, HPONLY, HPP187, HPP187 SYS, HPP189, HPP196, HPWORD PUB, hydrasna < d> < r>
|
| I< d>
| I5rDv2b2JjA8Mm, ibm, IBM, ibmcel, ihavenopass, ILMI, inads, indspw, INFO, informix, INGRES, init, initpw, install, Internet, IntraStack, IntraSwitch, INTX3, INVALID, IPC, IS_$hostname, ITF3000, iwill < d> < r>
|
| J< d>
| j09F, j256, j262, j322, j64, JDE, Jetform, JONES< d> < r>
|
| K< d>
| kermit, kiddie, komprie, ksdjfg934t< d> < r>
|
| L< d>
| l2, l3, laflaf, lantronix, LASER, LASERWRITER, last, lesarotl, letacla, letmein, LIBRARY, lineprin, LINK, lkw peter, lkwpeter, LKWPETER, Lkwpeter, llatsni, locate, locatepw, login, looker, LOTUS, love, lp, lpadm, lpadmin, lucenttech1, lucenttech2, lynx < d> < r>
|
| M< d>
| MAIL, mail, MAILER, maint, maintain, maintpw, man, manager, Manager, MANAGER, MANAGER.SYS, Master, MASTER, masterkey, MBIU0, MBMANAGER, MBWATCH, mcp, MDSYS, me, merlin, mfd, MFG, MGR, MGR.SYS, MICRO, MILLER, mirc, mlusr, mMmM, MMO2, MODTEST, monitor, MOREAU, mountfs, mountfsys, mountsys, MPE, mtch, mtcl, MTYSYS, my_DEMARC, mypass, mypc < d> < r>
|
| N< d>
| n/a, naadmin, NAMES, ncrm, NETBASE, NETCON, NETFRAME, NetICs, netlink, netman, NETMGR, NETNONPRIV, NETOP, netopia, NETPRIV, netrangr, netscreen, NETSERVER, NETWORK, NEWINGRES, NEWS, news, NeXT, NF, NFI, NICONEX, nms, nmspw, nobody, noway, NONPRIV, ntacdmax, nuucp < d> < r>
|
| O< d>
| OCITEST, oem_temp,op, OP.OPERATOR, operator, OPERATOR, OPERVAX, oracle, ORDPLUGINS, ORDSYS, OUTLN, OutOfBox, owner< d> < r>
|
| P< d>
| PAPER, pass, PASS, Pass, passwd, Passwd, PASSWORD, password, Password, pat, patrick, PBX, pc, PCUSER, PDP11, PDP8, PFCUser, PHANTOM, phoenix, piranha, pmd, PO, PO8, poll, Polrty, POST, Posterie, postmast, POSTMASTER, postmaster, POWERCARTUSER, powerdown, PRIMARY, prime, primenet, primeos, primos, primos_cs, PRINT, PRINTER, PRIV, private, prost, PSEAdmin, public, PUBSUB, pw, pwd, pwp < d> < r>
|
| Q< d>
| q, Q54arwms, QDI, qpgmr, qsecofr, qserv, qsrvbas, qsvr, qsysopr, quser, qwer< d> < r>
|
| R< d>
| raidzone, rcust, rcustpw, RE, read, readonly, readwrite, REGO, REMOTE, replicator, REPORT, RJE, rje, RM, RMAIL, rmnetlm, RMUser1, ro, ROBELLE, ROOT, root, Root, ROOT500, ROUTER, router, RSBCMON, RSX, rw, rwa, rwmaint < d> < r>
|
| S< d>
| sa, SABRE, SAMPLE, san fran 8, SAP*, satan, SCOTT, script, scriptkiddie, SECDEMO, secoff, secofr, secret, secure, security, SECURITY, SER, sertafu, server, service, SERVICE, servlet, SETUP, setup, sex, shutdown, signa, SKY_FOX, sldkj754, smile, snake, SnuFG5, software, sp99dd, Spacve, spcl, speedxess, SPOOLMAN, spooml, star, STEEL, STUDENT, su, Super, super, SUPERVISOR, support, SUPPORT, supportpw, switch, SWITCHES_SW, Sxyz, SY_MB, sybase, sync, synnet, SYS, sys, sysadm, SYSADM, sysadmin, sysbin, SYSDBA, SYSLIB, syslib, SYSMAINT, SYSMAN, Sysop, system, SYSTEM, system_admin, SYSTEST, SYSTEST_CLIG, syxz, SZYX < d> < r>
|
| T< d>
| t0ch20x, t0ch88, TCH, teacher, tech, technolgi, tele, TELEDEMO, TELESUP, temp, temp1, TEST, test, testing, teX1, tiara, TIGER, tini, Tiny, tlah, topicalt, topicnorm, topicres, Toshiba, toshy99, tour, TRACE, TRACESRV, trancell, trouble, TSDEV, TSEUG, TSUSER, TTPTHA, tutor, TzqF < d> < r>
|
| U< d>
| uClinux, UETP, umountfs, umountfsys, umountsys, unix, User, user, USER, USER_TEMPLATE, USER0, USER1, USER2, USER3, USER4, USER5, USER6, USER7, USER8, USER9, USERP, uucp, uucpadm, uwontguessme < d> < r>
|
| V< d>
| VAX, VESOFT, Vextrex, VMS, VNC, VRR1< d> < r>
|
| W< d>
| WANGTEK, web, WebAdmin, WebBoard, webdb, weblogic, webmaster, win, WINDOWS_PASSTHRU, WINSABRE, winterm, wodj, WOOD, WORD, WP, wradmin, write, www< d> < r>
|
| X< d>
| xljlbj, XLSERVER, xo11nE, xp, xxx, xxxx, xxxxx, xxxxxx, xxxxxxx, xxxxxxxx, xxxxxxxxx, xyzall< d> < r>
|
| Y< d>
| YES, youwontguessme, yxcv< d> < r>
|
| Z< d>
| zbaaaca, Zenith, zeosx, zxcv< d> < r>
|
| Numeric< d>
| 0, 1, 1.1, 2, 5, 7, 12, 30, 110, 111, 123, 1111, 1234, 2002, 2003, 2222, 2600, 8429, 12345, 54321, 111111, 121212, 123123, 123456, 166816, 256256, 654321, 1234567, 1322222, 7061992, 11111111, 12345678, 19920706, 22222222, 88888888, 123456789, 1. 1, 1234qwer, 123abc, 123asd, 123qwe, 1RRWTTOOI, 240653C9467E45, 24Banc81, 3098z, 3ep5w2u, 4Dgifts, 4getme2, 4tas, 57gbzb < d> < r>
|
| Other< d>
| !@#$, !@#$%, !@#$%^, !@#$%^&, !@#$%^&*, !root, $ALOC$, $secure$, $system, %username%12, %username%123, %username%1234, (none), ?award, }< d> < r> < able>
Additional Information about Strong Passwords
The links below contain policies, guidelines, practices, and general protection information about weak and strong passwords.
Password Policy from SANS
Password Security from Red Hat
Ho w to create stronger passwords from Microsoft
Protecting Yourself from Password File Attacks from CERT Coordination Center
Comments Off
There are many things in life that are worth protecting. Our children, our valuables, our resources and of course, ourselves. Only twenty years ago, if security was mentioned, you were speaking of protecting your home. And you were most likely discussing a security system, monitoring, watchdogs, firearms and cameras.
With the explosion of the personal computer, and the internet’s ease of access to information, security has now taken on additional roles. With over 605 million people online at any given moment worldwide, criminals are no longer bound by geographic location. Today’s cyber criminal can hack from the comfort of his home just by getting online.
There are software programs that do nothing but scan the internet for un-secure ports and open networks so that they can enter into those unprotected machines to access critical information. There are many users who know little about internet security and rely on their ISP to provide it for them.
To look deeper into this topic, let’s examine the qualities that make security both similar and different. With your home, you have a physical area that you can protect with fire and motion sensors, cameras, glass-break detectors and decals strategically placed to deter would-be thieves. For your computer, you protect a virtual space usually containing sensitive information relevant to your personal finances or key identity theft items such as family names and social security numbers. To protect these resources, one must install software (anti-virus, port scanners, Trojan hunting software, firewalls) as one level of protection. You can also add another layer of security through a hardware firewall of connectivity to and from the internet or network.
Both home security and computer security have maintenance costs associated with them. Reliable home security will usually consist of a one-time fee to install the hardware in your home, and then an agreement to have 24-hour monitoring service for a given length of time. Computer security will consist of buying the software and then either a monthly or yearly subscription fee to receive the latest information and protection from internet threats.
One difference between the two are the methods of monitoring. While computer security is only responsive while the computer is active or online, home security monitoring is responsive at all times provided the system is properly armed.
Another distinction is the method of response. In home security, a human will respond by dispatching police, fire or EMS directly to your home or business site. On a computer, the response is when the software vendor becomes aware of the problem, creates a solution, and has an update available for download.
With the advances of technology, monthly fees for home security monitoring are reasonable for the service they provide. Be warned: not all monitoring companies have the same capabilities when it comes to quick response. That’s one reason why it’s a good idea to make sure that any security company you choose has a UL certification. This can be critical as it indicates that the security company has met stringent standards for management system compliance (such as a back up source of power). The same methodology should apply for a security software provider. Just because they say they’re the best, doesn’t mean that they are. Due diligence is the user’s responsibility. Your information is too valuable to be taken lightly.
Both home security and cyber security are similar to having insurance. You have it, but you hope you never need it. And if you do need it, you want a company or vendor that has a history of excellent customer service.
There are those people who think that having a firearm is all they need for protection. While that may hold true in some form, a firearm won’t let you know if someone is trying to enter your home through the back door while you are sleeping and notify you or the authorities. Another common perception is that a watchdog will alert a homeowner to intrusion, but again, man’s best friend sleeps 10 to 12 hours a day and can’t notify the police.
There are some computer users who claim that they can detect a virus by the email that is sent with some obvious taglines meant for the user to open and infect the machine. Not all viruses are in emails, although that is the most common form. They can also be uploaded to a website, or embedded in Java Applets or Active X controls.
Trojans, which can log all of the users keystrokes and sites visited, are secretly downloaded in the form of free games or free software, and are undetectable by anti-virus software. This is the preferred method of attack by a hacker on a machine. By not altering the performance of a machine (like a virus or worm does), the user blissfully continues to use their machine to make online purchases, and enter sensitive information, thinking they are secure, while the Trojan secretly records all of the information and will simply send all of the user’s information at designated intervals to the hacker.
Many times a decision about security measures for your home or computer is based on budgetary constraints. But always consider what it is that you are protecting and how much you would pay to get back whatever was stolen, lost or destroyed if an unfortunate event occurred in your life.
Comments Off
October 7, 2008
1) Security Consultant’s Perspective…
Regardless of your type of business, size or location, the threat of workplace violence and terrorism is all around us these days. It could involve you, your employees and your business at any time. Protective Measures seem a bit of theatrics yet failure to be vigilant or to exercise due diligence could result in a disaster or a civil suit. I believe protecting the workforce is a never-ending task of vigilance, awareness and training. Protecting the Mail Rooms and educating your workforce is all part of the workplace security process. All employees should be given a security awareness briefing on the topic of handling suspicious pieces of mail, the need to protect the Mail Room from unauthorized personnel and general Mail Room security measures.
2) The Mail Room Threat…
The handling and processing of incoming mail today remains a businesses weakest point. Incoming mail is not routinely isolated as a matter or protective measures, delivery personnel are not being restricted from building access, employees may or may not know what to look for and what to do when handling suspicious packages or letters, there are no control points controlling access by all, and letters and packages to senior officers are not given extra precautionary attention. It is unlikely most mailroom employees are cleared, are familiar with basic security procedures or that they have been trained in Mail Room Security Procedures. The potential nightmare remains the lack of security awareness, the recognition of suspicious mail; what to look for and what to do.
3) Recommendations…
Supervisors and managers should insure that some form of security awareness is incorporated into the day-to-day operations. All employees should at a minimum know the basic mail handling security measures. It does not take much time to impart information to a group of employees using the “Stand-up Talk”, a technique used by the Postal Service to provide information to a large group of employees without disrupting the operations. Normally the “Stand-up Talk” lasts between 15 - 20 minutes. The “Stand-up Talks are quite an effective method of communications in this way.
4) What to do in case of a suspicious piece of mail…?
This area requires paying attention to details and discipline. If you notice a suspicious letter or package during routine mail handling or if you’ve received a piece of suspicious mail, take the following steps: don’t handle it, evacuate the premises but, certainly the area around the piece and do follow your security plan by notifying supervisor and the appropriate emergency service personnel listed in the security plan.
Comments Off
Next Page »
|