It's Not Glitzy, but Password Vigilance Still Vital

Carl Weinschenk

The yin and yang of password security is amply illustrated in this piece at ServerWatch about an open source tool called john-the-ripper. The writer presents it as a way for IT to identify vulnerable passwords before the bad guys do. The truth of the matter is, however, that there is no reason john-the-ripper can't be used first by malicious individuals.


The Internet is rife with password security problems. For instance, Dark Reading links to a blog posting from an IBM Internet Security Systems security strategist on the vulnerability of webmail passwords. Indeed, there are hacker services that offer to break Completely Automated Public Turning Test to Tell Computers and Humans Apart (CAPTCHA) webmail authentication systems and provide the passwords that are used with them. In fact, they also promise to provide the new passwords as the target changes them on an ongoing basis. Webmail systems rarely offer encryption and are so simple that they are hard to protect. The best advice is to educate users on what information shouldn't be trusted to these convenience-first platforms.


There are a couple of basic but useful things in this posting on password security. The writer suggests being very careful about using open public Wi-Fi terminals. He also points out that it is human nature to use the same password for all online activity. This obviously is risky. A way to alleviate the problem that preserves the convenience of using the easily remembered password is to combine it with a different set of random characters, numbers and symbols for each system for which it is used.


Abe on Tech offers a more systematic listing of the dos and don'ts of password security. He starts with more than a dozen things to not do and suggestions for addressing the issues raised. He then lists eight things that should be done. The final list provides 22 things not to include in passwords. The strength of the piece is that it goes beyond the intuitive and commonly known items in each category and provides more subtle suggestions that are more likely to thwart hackers.


A big challenge -- as ably described in this MSNBC piece -- is that there is so much information available. Crackers can get data at social networking sites and online databases that may hold vital information in old resumes, job applications and elsewhere. Indeed, the story demonstrates that finding and using this information isn't even particularly difficult. This information then can be used by the hacker to get the victim's password reset.


Enterprises should not assume that password problems exist only in the consumer world. People use webmail for work -- whether or not the company knows or approves -- and in other ways play fast and loose with passwords. Smart organizations must continue to pay close attention and redouble efforts to deploy the right software and educate employees about password safety.

Add Comment      Leave a comment on this blog post
Sep 13, 2008 3:29 AM �����-� �����-�  says:
good luck! Reply
Sep 19, 2008 12:14 PM Dan Chmielewski Dan Chmielewski  says:
You are talking about the "users needing to beef up their passwords"? With the recent problems on Wall Street and with companies needing to do layoffs, most IT departments are not prepared to deal with change in credentials needed for both user systems and critical backend systems (server farms) that have embedded credentials that are hard to change, yet may remain unchanged for years after IT staff have been discharged. Third party applications like those from from Lieberman Software Corporation ( provide an effective "locksmith" toolset that can locate and change the credentials of common critical accounts that would not be possible were the change operation be attempted by hand or via scripts. Reply
Oct 11, 2008 1:00 AM NoWares NoWares  says:
A very informative post. Thanks for all the info!Useful when creating new accounts. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.