WeakLink password breaking

I have been thinking about password security quite alot today, and it occurred to me that most people including myself use universal passwords. We know its wrong, but we almost can’t help our selfs, its to human.

The thing we fail to think about enough is that the more we give this password out the more we danger put it in, every website that has it in there database is a new link in the chain protecting our password. All that is required to get your password thus is to break into the weakest website that has it, all you need is one admin who is not hashing his passwords, or failing to salt them.

Thus when personally attacking someone’s electronic life, if they have a universal password all you need to do is attack the weakest website or system that has it, and for most people there could be upto 50 -100 systems. One of these is bound to have a security hole.

The second possible mode of attack is to setup a dummy website, and get the person is question to sign-up to it. All that needs to be done then, is read it straight out of a database.

In this form you can ask for all the other details you want,

  • Name
  • Address
  • Email
  • Username

You could even ask for information such as a mother maiden name, with all this you could get access to email accounts, facebook accounts, webspace, e-commerce account(Amazon,Email,Play.com). With addation information gained from these you then even access bank accounts.


Message of the Day
DONT BE HUMAN –> DONT USE A UNIVERSAL PASSWORD

2 comments

  • I was using a universal password because I thought I would never remember different ones…my solution is to have a password “seed” which remains the same for all websites, but then is added to by a combination of letters from the website’s title according to a rule, which I’m obv not going to post here :) This means I have a unique password for each website, and I only have to remember the seed and the rule, which I’ve found OK :)

    I reckon this is more secure than using a fixed password, and although if the rule was worked out you could then guess all my other passwords you would first have to know at least two to be able to guess the rule…

    I could be wrong though, but I think its a bit more secure :)

    • I know the system, as our dear friend lyle uses it,

      However consider this I break your password on 2 sites , spot the common seed and then from the remaining letters may be able to work out your pattern. The security of this approach only works if the pattern used to adapt your seed is complex enough that it requires a significant number of password breaks (aka to the point where I have to break into something as secure as the system I truly want to enter), before the patten can be discovered.

      I never believe systems can be truly secure until, humans are removed from them.

Leave a Reply

Your email address will not be published. Required fields are marked *