Where *nix and security meet the general public
Easy passwords that are secure?
Now when we talk about this kind of approach for simple passwords we can take this a few steps further and actually make REALLY complex ones with a very simple approach. The key point about extremely complex passwords, is not the fact that you have to remember them entirely, but you have to find a way to remember them. So say for a companies root (Administrator) password you have to make it ultra-complex, obviously since you don’t want anyone easily to brute-force or crack the Administrator password in a short time. This has actually 2 benefits. 1) IF your password database (SAM file or passwd file or an LDAP dump) is obtained by a malicious cracker, many other passwords with much less rights will be cracked WAY before your companies Administrator password is cracked. And 2) IF your companies network gets compromised and the password database gets downloaded at night or off hours, when the Administrator comes in later and notices the compromise he can initiate change management and change the password, then close the hole that allowed the attacker in. This means that even IF someone cracks the downloaded password file, it is useless since your Administrators changed the main passwords AND instructed all users to change theirs too.
So, we talk about generating really complex passwords in a really simple manner. Of course you could use a password generator but these generate pass?words?, not pass?phrases?. A very good and simple approach is for example, in a technical document, take a random paragraph and use the first Letter of each word. This gives you already Random letters, upper and lower case and depending on the document even numbers. All you have to do then is make a pattern , say every 4th character you add a ??? or a whitespace into the phrase. You can get passwords that are long and very complex very easy. 
here is a password that I generated that way (this is the entry for test1 user with the new password in my /etc/shadow file, so you can just copy it and start cracking) :
test1:$1$zRbJgE6J$.3OwMyqixjYOtyKT1S4Q7.:13450:0:99999:7:::
My challenge is to anyone, if you crack it and mail it to me (flosse@2blocksaway.com) I will send you a 20 Euro (~25USD) Gift certificate from Amazon or iTunes Shop, you name it.
There are very good articles regarding the “password issue” also available here : The Zen of password management and here : RSA’s “The vicious circle of passwords”. Azio’s article however about how fast can they crack your password which is actually a link to here but still DEFINITELY worth reading (both posts).
Popularity: 6% [?]
Pages: 1 2
Interesting blog post but I’ll not try to crack your password. The cost of electricity I probably need to try cracking your password and the 20 euros will cost me more than it good return
Honestly, the encrpyted part is only this = 3OwMyqixjYOtyKT1S4Q7
The rest are just linux informations. Especially the 99999 is the administrator rights. While i don’t think it’s worth cracking it as we wouldn’t know if it authenticate… But by the look at the encrypted part, it’s most likely a standard encryption… probably 128 - 256 bits encryption.
Based on cracking the password? I doubt anyone will do it… Probably, those computer science students who is interested on some challenges… hahaha…
[…] Now, if you take these steps or points into consideration your user education or security training class all of a sudden looks more like a group discussion with you as a leader. And THAT is the way it should be. If the user feels empowered by actually interacting in the security training, it makes them feel less forced. Let them get to their own conclusions regarding why passwords should be complex. You can always give them pointers about issues like passwords, like I described in the Easy yet secure passwords article. If you can transform your security training into a security awareness discussion where everyone is relaxed and can speak their mind, i guarantee you that your users will become your biggest ally in your defense. They will be much wary regarding social engineering attacks, they will rather delete a funky mail then open it and they will handle company information MUCH more careful. I have also given classes about how to teach well and I have gotten feedback from even educational institutions that this approach works very well. And if you like giving your class, you will all of a sudden find yourself requested to give classes maybe not just in your company. If you have any experiences or more pointers to share, please do so, or if you want to get more info regarding this just drop me a line. But if you can implement even just a few of the points your class will be MUCH better then the generic user security training that everyone despises. […]
Maybe you can try Fingerprint Scanner.
I agree, and nowadays a lot of new laptops come with a Fingerprint reader though they can be fooled fairly easily too and probably faster then using a really good password/passphrase.
I would love to test some retinal or facial recognition software but where to get it from….without paying a hefty price tag.
//Flosse
Let them get to their own conclusions regarding why passwords should be complex. You can always give them pointers about issues like passwords, like I described in the Easy yet secure passwords article. If you can transform your security training into a security awareness discussion where everyone is relaxed and can speak their mind, i guarantee you that your users will become your biggest ally in your defense.