If we stick with only alpha-numeric passwords from 2019 on the Wikipedia list, these simple passwords are crazy easy to defeat. password, iloveyou, admin, lovely, welcome, princess, and dragon top their list. If these are the top of the list then we can only imagine what other words are commonly used but are not used quite enough to make the list. Granted there are other mitigation techniques to this type of attack such as a limit on the number of attempts, source of login restriction, or up-to-day blacklists to name a few. This still doesn’t excuse the use of extremely weak passwords based on the dictionary.
I’ve posted in the past about tools you could use which have dictionaries built in and are able to speed through them in their attempts to log into the account. On top of that, rainbow tables already include most (if not all) of the dictionary and can match a simple dictionary password extremely fast. In reality we have to take into considerations the default password on customer devices such as DSL Modems, Cable Modems, SoHo Routers, and switches to name a few. These are most likely the biggest culprit of these easy dictionary passwords. Still when you weed out those from the list, there are plenty of other simple dictionary passwords that are in use.
What is really boils down to is the fight in regards to “ease of use” vs “secure environment”. Why do people use simple dictionary passwords? They are simple to use. I’ve seen a meme that says “I changed all my passwords to incorrect so whenever I forget it will tell me that my password is incorrect”. There is always some truth in every joke and this joke really has application to why a dictionary attack works. Just last week I went to log into a bank and couldn’t remember my password. I tried to reset it but it told me that I couldn’t re-use a password that I previously used. What happened is that I was forced to change my password so many times that I didn’t even know my own password and was forced to use a password I never remember. Hence the introduction of simple passwords brought from frustration.
End users will almost always use the most simple password that they can come up with. If their favorite childhood book is “The Cow Jumped Over the Moon” and they have a fond memory of it, their password is now “thecowjumpedoverthemoon”. The point that I would like taken away from this is to make sure and use a secure password that will be much less vulnerable to a dictionary attack while still maintaining ease of use. Enforce a password policy that lets the user have a password they can remember such as “thec0wjump$dOVERthem00n” without making your organization vulnerable to a dictionary attack. Aka, not that password.
No comments:
Post a Comment