Weak Passwords Really Do Help Hackers

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Straight out of the Department of ND (no duh), we have a new study that says weak passwords really do help hackers. Ya think? I guess the most alarming part is the frequency of the intrusion attempts.

Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.
Click to expand...
 
24 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute = 2,073,600 seconds

2,073,600/39 = 53,169.

I think the University of Maryland needs to get grade 6 math down before the venture into the dangerous and complex world of blatantly obvious fact. :D
 
All I want to know is.. does this mean I should stop using 'password' as my password?!? :eek:

:D :D
 
This little insightful experiment probably cost the US taxpayers several million dollars to ascertain....could have logged on the [H] and found that little diddy in a few free minutes. Yea for the Homeland Defense crew :rolleyes:

Steve said:
Straight out of the Department of ND (no duh), we have a new study that says weak passwords really do help hackers. Ya think? I guess the most alarming part is the frequency of the intrusion attempts.
Click to expand...
 
Nemesis999 said:
24 days * 24 hours/day * 60 minutes/hour * 60 seconds/minute = 2,073,600 seconds

2,073,600/39 = 53,169.

I think the University of Maryland needs to get grade 6 math down before the venture into the dangerous and complex world of blatantly obvious fact. :D
Click to expand...

Not to defend them or anything but.... they are talking about 4 computers.

So.... assuming a little rounding on thier 270k number they are pretty close to the 39 second mark.:D
 
What the article did not mention was which attack vector the attackers were using. There are multiple avenues of attack. I'm guessing that they were monitoring SSH and/or telnet due to the fact that they stated that once attackers entered the machine they checked the configuration... This would be far more difficult using FTP, HTTP, SMTP, or other avenues of attack.

On my Slackware Linux server I get tons and tons of cracking attempts on port 22 (SSH). Which is fine, because nothing is bound to port 22. SSH is bound to a non-standard port on my machine. Since I changed the port SSH listens to, there have been no SSH based cracking attempts aimed at the port that SSH is actually on. Telnet is not enabled.

With machines that have lots of users, it's especially important to use password testing algorithms that ensure that users do not use weak passwords. Futhermore it's generally a good idea to use some penetration testing tools to make sure that you're secure. But then again, a decent administrator already would know these things.
 
Reagent said:
Not to defend them or anything but.... they are talking about 4 computers.

So.... assuming a little rounding on thier 270k number they are pretty close to the 39 second mark.:D
Click to expand...

4 x 53 thousand is 212 thousand.

I can see no way that rounding would cause such a huge error.

With a number like 270k the most rounding they did was to the nearest 10k, so 265k-275k. With 39 seconds the most they did was the nearest second, 38.5s - 39.5s. The closest you can get to their numbers using either of those ranges is ~25% off.

I think someone forgot how to count and they actually had 5 computers. :)
 
You must log in or register to reply here.
Back
Top