Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Dangers of default password. Show all posts

The Speed and Efficiency of Modern Password-Cracking Techniques

 

With minimal expense and a bit of time, passwords can be cracked much faster than expected using a smart brute-force guessing algorithm. A recent analysis by Kaspersky revealed that 59% of 193 million real passwords were cracked in under an hour, with 45% broken in less than a minute. 

However, as explained by Antonov from Kaspersky, "smart guessing algorithms are trained on a data set of passwords to determine the frequency of various character combinations, starting with the most common and working down to the rarest." Although brute-force attacks are popular due to their straightforward approach, they are not the most efficient method for password cracking. Most commonly used passwords contain predictable patterns like dates, names, dictionary words, and keyboard sequences. Incorporating these patterns into the algorithm speeds up the cracking process significantly. 

The Kaspersky study demonstrated the advantage of combining brute-force and smart-guessing techniques. Pure brute force cracked 10% of passwords in under a minute, but this success rate jumped to 45% with the addition of smart-guessing. For passwords cracked between one minute and one hour, the success rate increased from 20% to 59%. Humans are generally not good at creating secure passwords because the choices are rarely random. We tend to use familiar elements that smart-guessing algorithms can easily identify: common names, important dates, and recognizable patterns. 

For example, a YouTube channel asked over 200,000 people to pick a 'random' number between 1 and 100, and most chose from a small set of numbers like 7, 37, 42, 69, 73, and 77. Even when attempting to create random character strings, people often stick to the center of the keyboard. This analysis underscores the importance of creating stronger, less predictable passwords. Using a combination of upper and lower case letters, numbers, and special characters can help enhance password security. 

Additionally, implementing multi-factor authentication (MFA) adds an extra layer of protection, making unauthorized access much more challenging. Regularly updating passwords and avoiding reuse of old ones are also essential practices for safeguarding accounts from being easily compromised. Employing password managers can also aid in generating and storing complex passwords, reducing the reliance on human memory and, thus, the use of predictable patterns. 

As cyber threats continue to evolve, staying informed about the latest security practices and adopting proactive measures will be crucial in defending against sophisticated password-cracking techniques.

Default Passwords Lead to Hacking Incidents Among LogicMonitor Customers

 

Some customers of LogicMonitor, a network security firm, have been compromised by hacking attacks due to their use of default passwords. A spokesperson representing LogicMonitor has officially confirmed the existence of a "security incident" that is affecting a segment of the company's customer community. 

Until recently, LogicMonitor employed default passwords for user accounts, which created a vulnerability leading to the breach. These default passwords typically followed a recognizable pattern, such as commencing with "Welcome@" followed by a concise numerical sequence. 

This security oversight made it considerably easier for malicious actors to gain unauthorized access to customer accounts, raising concerns about potential ransomware attacks on systems under LogicMonitor's monitoring. 

“We are currently addressing a security incident that has affected a small number of our customers. We are in direct communication and working closely with those customers to take appropriate measures to mitigate the impact,” LogicMonitor’s spokesperson Jesica Church said. 

 LogicMonitor took the initiative to inform one of its customers about a potential security breach through an email notification. In the message, they highlighted the exposure of usernames and passwords, underscoring the risk of a potential ransomware attack in the event of unauthorized access. This proactive approach demonstrates LogicMonitor's commitment to swiftly addressing the issue and safeguarding its customers' interests. 

Understand what is meant by default password

Equipment manufacturers commonly employ uncomplicated passwords like "admin" or "password" for all their shipped devices, with the assumption that users will modify these passwords during the initial configuration process. Typically, these default login credentials can be located in the instruction manual (which is often standardized across devices) or even directly on the device itself. 

Here are a couple of instances to illustrate the point: 

In 2014, a single website's breach of default username and password combinations resulted in the exposure of 73,011 security cameras across 256 different countries. This allowed unrestricted online access to these cameras for anyone on the internet. 

In 2015, a four-week-long spam campaign successfully infiltrated router equipment systems by exploiting default username and password settings. The attackers leveraged this access to send emails to multiple organizations, serving as a reminder of an outstanding unpaid bill. 

The prevalence of default passwords constitutes a significant element in the vulnerability of widespread home router compromises. Maintaining such default passwords accessible on publicly accessible devices poses a substantial security hazard. The initial step to enhance your online security is to prioritize password management. 

Avoid the practice of reusing the same password across multiple accounts. Instead, establish distinct and robust passwords for each of your devices and accounts. This approach acts as a crucial deterrent, making it significantly more challenging for hackers to gain unauthorized access to your devices and compromise your security.

Here's a Quick Guide to Safeguarding Credentials

 


Safeguarding your authentication credentials is your best defense towards preventing your identity from falling into wrong hands. A recent report from Nordpass disclosed that people still use easy-to-remember passwords which however can also be hacked with very little effort. More than 2 million people use very simple passwords for example: ‘1234567’, notably, it won't take more than a second to break. 

People use passwords to gain access to an organization's resources and for recreational purposes as well, however, if the protection of passwords is taken lightly, one might end up falling into the hands of unscrupulous cybercriminals. Password stealing is easier than most of you think as hackers have multiple tools at their disposal, here are the ways by which one can ensure the prevention of the same. 

1 Minimum password length and complexity: Longer passwords with alphanumeric and special characters are considerably harder for hackers to break. For example letters, numbers, and special characters, “while it has been seen that few passwords are very secure against brute-force attacks, but the goal is here to increase entropy to protect password without making overly complicated passwords. 

According to the Open Web Application Security Project (OWASP), password with less than 10 characters can be hacked very easily. However, the question that arises is what length is considered secure but not too long? According to OWASP 160-character passwords considered to be a reasonable length. 

2 Multi-factor authentication (MFA): You must have seen many online shopping apps have started asking for extra authentication to verify your identity, more than just a username/email and password. For example, code on your phone, face or fingerprint scan etc. However, for big IT companies, it is very essential to use multi-factor authentication such as behavioral biometrics, building device reputational controls, IP tracking, and challenge-response protocols into their systems. 

3 Password managers for employees: It can be easy to go way for the companies if companies start having a password manager. This is a very easy and productive way that can ensure whether employees are using complex passwords or not. 

4 “Zero Trust” Security model:  This Network security model implies trusting no one, not even known users or devices without verifying or validating. This security model has been introduced by an analyst at Forrester Research. Although the theory employed is not entirely new, this security model has gained prominence nowadays in digital transformation and the effects can be easily seen on business network security architecture.

Yahoo to the rescue of forgetful users with "on-demand password"

Passwords are not meant to be remembered. It is meant to be generated fresh, every time you forget it.

This is what Yahoo seems to think as the company just introduced an on-demand password system.

The system works like this: After signing into the Yahoo account one has to select Account security from the account information page and opt-in for “On-demand passwords”. Then one has to enter the phone number where Yahoo sends the verification code and after entering this code one never has to worry about memorizing passwords ever again.

It can be argued that the move away from default passwords is welcome as password theft is very common now a days but some feel that the privacy is being sacrificed because anybody with access to the phone for even a few seconds has the potential to read through all your communication.

But the fact remains that peril of default passwords had been dealt well with the two step authentication process; whereby if one logs in from a new device, in addition to the password one is asked for a code that has been sent to the associated mobile number. A move to completely eliminated the first step seems to be inclining towards laxer cyber-security norms.

At a time when Google tries to put one in panic mode by notifying what happens if you forget your password and repeated reports of security breaches makes one paranoid, the move from Yahoo to eliminate passwords has invited mixed reactions.

Presently, it is available only to US users.

While the effort is in the right direction to deal with password security issues by closely connecting the virtual and real identities, the approach adapted seems to be fallacious.

The dangers of default passwords : Routers use default 'password'


A hacker with twitter handle SuperSl1nk has discovered a security flaw in the Router's web admin interface. The famous organization left their router password as default one.  The worst part is that the default password is 'password'

"The dangers of default passwords is a critical vulnerability that unfortunately touches a lot of school, business, government and other ... The developpers are not aware of the danger or repercussion that this may have on the entire system." The hacker said in the leak.

"I can publish a little of my results. Only for Lesson ! :p"

The list of affected network includes BellSouth.net (U.S.A), Imagination (U.S.A),
Hotwire Communications (U.S.A), Capital Market Stragies L (U.S.A), University of Maryland Baltimore County (UMBC U.S.A), U.S. Network (U.S.A), LG DACOM Corporation (Korea).

Other affected networks : Harano Telecom (Korea),SK Broadband Co Ltd (Korea) ,Korea Telecom (Korea) , Infrastructure EM (Denmark) , Bahnhof Internet AB (Sweden), Intelligente Office (Canada), Wightman Telecom (Canada).

"@EHackerNews I've seen much worse, but I did not publish everything, I have access to ISP, Telecom, Gov, Military, Big Company... " In a tweet hacker replied to EHN.

All of the affected network has the same password to sign in to the interface .  Yes it is 'password' .  

http://pasteit.com/19643