Honeypots are a lot of fun for security professionals. We get to trick the tricksters who try to trick security systems. These opportunities give us whitehats a chance to be a little devious for once and get in the heads of those we are protecting against.
So Microsoft conducted a little honeypot of their own to collect some data on the kinds of automated password attacks hackers are using to break into user accounts. They created a fake FTP server and allowed hackers to go to town trying to crack the password for about a year. The FTP logged and processed the information gathered by login attempts.
The honeypot gathered hundreds of user names and tens of thousands of password that have been used in automated attacks. The data told us a few things we already knew, basically that the most common password hack attempts resemble the most commonly used passwords. But the data told us one new thing that we did not already know about password cracking. That is, simply having a long password isn’t good enough anymore if it is still dictionary-based. The honeypot attackers routinely used passwords 8-10 characters in length and would even try passwords 10, 15, or 20 characters long. Also, hackers are persistent, even for using automated systems. One tenacious attacker attempted 400,000 passwords to crack the fake FTP.
The emphasis on password strengthening is now more relevant than ever with the reemergence of “L0phtCrack” – a password auditing software. L0phtCrack attempts to crack passwords at swift speeds by scanning through a dictionary of words and forming probable password guesses. Basically, it does the exact same thing as the automated password crackers the hackers use, but for whitehat purposes. Of course, critics are worried that L0phtCrack is a double-edged sword since it could be used for that very purpose.
Passwords are actually the easiest security measure to ensure protection. As long as your password follows the basic password strengthening guidelines – length, alphanumerical, case variance, special characters, etc – it should never be cracked. At least, not by an automated tool.
Tagged auditing software, password crackers
