Unpredictability is key in password strength

The latest report from infosec provider Praetorian suggests that when it comes to hacking a password, the sequence and consistency of the characters is just as important as the actual strength of the password itself.

Using a technique called a mask attack, attackers break a password down into their component elements such as upper case letters (u), lower case letters (l), digits (d) and symbols (s).

In their example, Praetorian used “Password1234” which when viewed in this system becomes “ullllllldddd”. This string of letters is known as a mask. Each letter in the chain denotes the character type (u= upper case).

Using this technique, Praetorian analysed nearly 35 million leaked passwords from various sources. What they found was surprising.

Password Masks

 

 

Of the 35 million analysed passwords, half of used the same 13 masks.  This means that despite the millions of variants of characters, digits and symbols, in our passwords, as many as half of us are using a very limited selection of masks.

Naturally our predisposition for these certain masks makes our passwords much easier to hack. Not to mention that many people also use dictionary words and personally identifiable information in their passwords.

 

Why do we behave like this?

Praetorian posits that our preference masks is down to the way that we are informed to create strong passwords. A simple example of this would be to use a capital letter in the password. Conventional behavior leads us to use it at the start of a password and use symbols such as ‘!’ at the end.

 

How to improve your password safety.

The most important thing to do to help make your passwords more difficult to crack is to use an unusual mask. Don’t be tempted to start your password with a capital and insert your symbols and digits somewhere other than the end.

Password managers can also help you generate strong, long and random passwords that use a wide variety of masks.

 

 

3062591 – Local Administrator Password Solution (LAPS) Now Available – Version: 1.0

Revision Note: V1.0 (May 1, 2015): V1.0 (May 1, 2015): Advisory published.
Summary: Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

Re: #WorldPenguinDay or this cant be right, can it?

Posted by Tavis Ormandy on May 01

PIN <zero () asac co> wrote:

It sounds like you’re asking “If I can learn an address, have I defeated
ASLR”, and the answer is usually yes. It depends on the circumstances of
course, but leaking any address to an attacker would usually be considered a
bug and renders ASLR essentially useless.

For example, if you can find some JavaScript that tells you the address of
an object on the heap or the base address of a module,…

Re: IKE Aggressive Mode Downgrade Attack?

Posted by Lee on May 01

crypto isakmp aggressive-mode disable
should be the counter-measure.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c4.html#wp7822516900
To block all Internet Security Association and Key Management
Protocol (ISAKMP)
aggressive mode requests to and from a device, use the
crypto isakmp aggressive-mode disable
command in global configuration mode.

Regards,
Lee