Category Archives: Passwords

How do you change your Unix password?

Posted by on February 6, 2006

The first thing you do when you get a new Unix account is change the password. No one should know your password, except you. Default user passwords given by many system administrators may follow a simple pattern (password100, 12345, etc). It is your responsibility to change this the first time you access the system.

Log in to your Unix account (locally or remotely) with your current username and password. The messages may change from system to system, but the basics will be the same. Note that passwords are usually case sensitive.

The command to change your password is passwd. At the command prompt, type:

passwd

Hit enter. The system will say something like:

Changing password for {username}

Where {username} is your account log in name.

Enter current password:

Type in your current password and hit enter.

New password:

Type your new password and hit enter.

Retype new password:

Retype your new password to make sure you didn’t enter it incorrectly.

passwd: all authentication tokens updated successfully.

Dictionary Attacks: “8@d P@55\/\/0rDz” Part 2

Posted by on January 30, 2006

One of the most common ways of protecting access to information or a computer account is with a username and a password. If someone wants to try to gain access to your account, the username is often quite easy to guess (email address, for example) so all they might need to figure out is the password.

One method of cracking the password is with a login dictionary attack.

With this kind of attack, software consecutively tries words from a list in a dictionary file (also known as a wordlist). While other attacks, like brute force attacks, are also effective, in real life, dictionary attacks succeed so often because people base their passwords on short, easy to remember words. The larger the dictionary file, the better the chance the attack will succeed.

While a research attack requires some basic knowledge of a person or system, a dictionary attack can be effective without any starting point. However, if you know that someone speaks French, English, and Spanish, you can load up those three dictionaries as a starting point, effectively narrowing your focus to relevant choices.

You can easily find dozens human language dictionaries for these types of attacks in minutes. Why did I say human? There are also Vulcan, Klingon, and other non-human dictionaries available. Actually, word lists go way beyond basic language dictionaries. Celebrities, aircraft, cars, brand names, sports terms, model numbers, jargon, and pretty much anything else that someone might use for a password has been thought up and added to a word list.

Better attack software might also do character manipulation. It’s common practice for people to substitute the number zero for the letter o, for example, or the number one for the letter l.

The software might try:

  • dig, Dig, DIg, DIG, dIG, diG , dIg
  • dog, Dog, DOg, DOG, dOG, doG, dOg
  • dug, Dug, DUg, DUG, dUG, duG, dug

as well as:

  • d1g, D1g, D1g, D1G, d1G, d1G , d1g
  • d0g, D0g, D0g, D0G, d0G, d0G
  • dvg, Dvg, Dvg, DvG, dvG, dvG
  • dVg, DVg, DVg, DVG, dVG, dVG
  • d19, D19, D19, D19, d19, d19 , d19
  • d09, D09, D09, D09, d09, d09
  • dv9, Dv9, Dv9, Dv9, dv9, dv9, dv9
  • di9, Di9, DI9, DI9, dI9, di9 , dI9
  • do9, Do9, DO9, DO9, dO9, do9, dO9
  • du9, Du9, DU9, DU9, dU9, du9, du9

Common character substitutions include:

A 4 B 8 E 3 g 9 T 7 V \ /
i 1 L 1 O 0 S 5 M / \ / \ W \ / \ /

Also, decent word lists will contain common (and not so common) misspellings. They will also contain keyboard patterns (asdf, qwerty) and common variations of any known pattern of characters that people tend to use.

Tip: don’t use words based on any kind of dictionary, even if you purposely misspell or manipulate the characters.

Research, Personal, and Guess Attacks: “8@d P@55\/\/0rDz” Part 1

Posted by on January 25, 2006

I was a system administrator in a previous life, and one thing that a sys admin does is creating user accounts and passwords. My boss was joking that I was taking my duties a little too seriously, so I suggested we guess the CFO’s password.

Four guesses to get in. It was his wife’s first name.

Another job before that I found myself in a similar situation, showing the problem with their password guidelines. The password of a high-ranking officer was also guessed within minutes: golf. An avid golfer, it certainly gave us a starting point. It should have been my first guess, but I started with his kids. Priorities, I guess ;)

First of all, I’ll mention that I had permission to test the password strength in both cases. I would not recommend trying to hack any account unless you have proper authorization.

These are both examples of simply guessing a password based on some basic knowledge of the person. A research (a.k.a. personal) attack can be as simple as guessing passwords based on something you know about someone. If the person is a hockey fan, you try favourite teams, players, or sport brand names. There are entire dictionaries that can automate these kinds of attacks. A text file with several million hockey related passwords could take minutes/hours/days to crack a password. Of course, there are many counter measures to these types of dictionary attacks, but those are for another time.

Imagine someone makes an application that has a bunch of fields like this:

  • First name, last name, date of birth, place of birth
  • Mother’s first name, last name, date of birth, place of birth, maiden name
  • Father’s first name, last name, date of birth, place of birth
  • Child’s first name, last name, date of birth, place of birth
  • Pet’s first name, last name, date of birth, place of birth
  • Home phone, address, fax, email, pager, cell
  • Work phone, address, fax, email, pager, cell
  • Auto details like license, make, model, colour
  • Hobbies, social clubs, pastimes
  • And so on.

They could rummage through your garbage (dumpster diving), take pictures of your house and car, look up information about you on the Web (don’t get me started!) or public records like the phone book, and plug in as much as they find. (If they are up on their social engineering and/or phishing, they have even more ammunition.)

Once they have harvested some basic data they could let the software generate different combinations, word/letter substitutions, etc. to create a list of potential passwords to try. The software could do a lot of work with very little research required.

Or, you can simply make some educated guesses. You would be sadly surprised at how often this works.