Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Don't Use Passwords That Can Be Social-Engineered

Broken lockA Facebook thread by one of my friends brought this one to mind. He was asking about what the current guidelines were for strong passwords. They vary, based on the capabilities of the system. A lot of the guidance nowadays is on passphrases modified in some manner, usually with a few substitutions. The passphrases create a password that is computationally costly to brute-force and the substitution just adds to the number of combinations that have to be tried per word.

What you should never do is choose a password that can be brute-forced easily guessed (edit: typed too quick on this one). I can recall a time when I was working with a vendor and they had configured the SQL Server, as per their procedure. It was one of those "hands-off or you break support" situations. They then hit a point where they needed DBA support, meaning us. As we investigated, we found out that they had chosen a password easily guessable via a social engineering attack. It was the name of the product, in all lowercase. I guess you could say at least they chose a password, as we ran across one similar installation where the sa account was installed with no password and, to make matters worse, that's the account the application was using.

As technical defenses go on the rise, social engineering is going to be the easiest way into most systems. People, whether we like it or not, are often the weakest link because they are too trusting. The recommendation is not to choose a password that involves your name, a member of your family, or someone close to you. If your child's name is Alex, then at some point I will try various permutations of Alex to see if I can get in. If you're a big sports fan, do not choose a password that involves your favorite teams. When we had a penetration test group in, they cracked several accounts by guessing a local college followed by a number, which conveniently came out to 8 characters and matched most rules for password complexity (mixed case with a numeric). That was when our password minimum length was eight characters. It's not any longer, partially because of this particular example (but more because of the cheapness of storage for storing rainbow tables).

It's not hard to choose a memorable passphrase that can't be connected to you. Don't choose one that can be social engineered. Don't choose a regular password that can be social engineered. If you're a vendor, don't install your product with a default password that's tied to your or the product's name. If you're a consultant, don't configure a password matching the vendor or product's name. It's among the first sets of passwords an attacker will try. They don't have to break out brute force engines to give a few of these a shot. Be smart about your password choices.

 

Comments

Posted by Steve Jones - SSC Editor on 9 August 2012

So true. I'm working on teaching my kids strong, 12char passphrases that aren't easily guessed. No common combinations of words. They aren't happy, but they are learning.

Posted by Brandon-1000181 on 9 August 2012

It seems like you are including research into people in social engineering.  As far as I know, social engineering is tricking users into giving out the passwords.  In your example of the users having a password that was the same as the sports team, that isn't social engineering.

Protection against social engineering would be best handled by training users to protect their passwords.  

Posted by K. Brian Kelley on 9 August 2012

Brandon, social engineering often involves research. Case in point: www.symantec.com/.../social-engineering-fundamentals-part-i-hacker-tactics

Leave a Comment

Please register or log in to leave a comment.