Passwords smashwords

Obtaining passwords just seems to be too easy. And the more I work in the industry the more I realize that people just don’t take security seriously. So how paranoid should you be? How serious should you take passwords? In a word: VERY.

Let’s start with the simple case. I know that a certain person’s email address is foo@bar.co.za and that his phone number is 0123456789. So, I check the mx records for bar.co.za, figure out the ISP, guess a few names until I find the pop server (or simply phone the ISP and say “Hi, I’m Mr H Acker and I forgot what the name of your incoming mail server is, would you mind giving it to me quickly?” – most ISPs that I’ve worked with won’t think twice about answering that question). Now, phone the user and say something down the lines of “Hi, I’m Mr H Acker from Big.ISP and would like to quickly know what your email username and password is?”. I’m betting at the moment that at least 9 out of 10 users will quite happily oblige. You’ve just hacked an email account. Congrats. Yes, I’m serious – it’s that simple.

Second case, and for the sake of protecting THOUSANDS of ignorant ADSL users out there I won’t go into too much detail – but most ADSL routers allow (by default) the web interface to it’s configuration to be accessed either from the LAN, WLAN or WAN. Yes, WAN implies from the internet. WLAN implies from a probably unsecured wireless access point. Now, imagine there is a way to quickly find IPs of potentially vulnerable routers (and as a matter of fact – there is a way), now HTTP isn’t exactly rocket science and writing a script to log into those thousands of routers can be done with relative ease and rather quickly. Now, if you’re not familiar with HTML you won’t realize that the fact that a text box may show stars or circles in password fields doesn’t mean that it’s not clearly readable in the HTML itself. Most routers supplies this password when it displays the “ISP Account details” in the HTML. So the ability to log in on an ADSL router almost invariably gives you access to the full username and password of that users’s account. Given an hour or so of scripting I can imagine putting together a script which will be able to gather at least a couple hundred ADSL usernames and passwords in a matter of a few hours.

Users should get to the point that even when their ISP asks for their passwords they should flatly refuse. They should refuse to email passwords under any and all circumstances. The first thing they do when they receive a new device should be to change any default passwords. However, I bet that the majority of people don’t do this. I’m also willing to bet that most people don’t think twice about handing out passwords – in fact – I’m aware of at least one company that hands out their websites ftp details when asked for “you website address”! *sigh*. People really aught to take security much more seriously – a few basic habits can make a huge difference.

2 Responses to “Passwords smashwords”

  1. Juggernaut42 says:

    A while back I installed a server for a client. I used pwgen to generate a password for the admin account on the web interface of the server. The client came to pick up the server I gave him the username and password. that evening when I logged into the server to check if everything is still working. the client changed the admin account’s password to ‘password’.

    I understand it for the ease of remembering passwords. But at least pick a password that I would not guess in my first 3 tries.

  2. admin says:

    At least the servers we install is firewalled in such a way that the password that’s exposed is only accessible from the LAN …