Expecting security by obscurity to protect you is quite naïve, maybe a bit stupid, certainly negligent. Still, we still see accounts bob with initial password bob which are quite amenable to low-intensity attacks. Even worse is when you give away so much information about accounts that it becomes easy to home in on usernames and passwords.
When I was in college, we had sequentially attributed usernames, something like r1625 if you were the 1625th student to register, but a configurable password. Even if one could guess other usernames from his own, there remained the task of guessing the passwords. Of course, it seems entirely feasible now with (insert favorite method) and find a compatible password if you have the file containing the hashes1. This will be computationally intensive, as (insert favorite method) is unlikely to do significantly much better than enumerating possible passwords and testing them one by one. At any rate, 20 years ago, there weren’t any 8192-cores machines with 128-thread GPUs.
However, if a correct username/password scheme is relatively robust (coupled with a longish SSH login retry delay, limiting the number of retries, and miscellaneous tricks such as moving the SSH port to a random location—not 2222) you should be good avoid attacks and thwart them if they occur.
But despite this common sense, I still witness bad, and I mean bad, security schemes being implemented. Of course, in this case, we should really use the ironic quotes, “security”. With a few questions and a bit of social engineering (and nothing close to 忍術2 required) I managed to gather enough information for a low-intensity attack.
What I gathered is that the logins where distributed sequentially, with the first three letters the same for everyone, let’s say ABC, followed by exactly five numbers, so ABC12345 is a possible login. The usernames are allocated sequentially, so by asking a few more question around, I could also get two full login names, so I can use this information to further bracket search; this means that from at most 100000 users I can narrow it down to, say, 1000.
That alone might not be all that bad if initial passwords were random, say something like t017va017$, but, lo! the passwords are 5-digit PINs, also allocated sequentially by the admins. Better yet: the users cannot change them.
So it doesn’t take a combinatorial genius to figure out that breaking in into an account is not that difficult anymore, even if we take our sweet time.
So what have we learned here? That I’m not the 1337 h4x0r… That the guys managing the accounts described above are nincompoops, certainly. But more to the point: you can’t devise a security strategy based on the assumption that nobody will try breaking in, or that the data you protect is unimportant anyway. These two assumptions will prove rapidly false. Second, you must give meaningful, but hard to guess, usernames (but if you don’t, it’s not that important) and strong passwords. Password “12345” isn’t a strong password. It’s a luggage lock code.
Tiger image appears with permission from Koren Shadmi.
1 Indeed, you do not need the original password, merely one that hashes to the same thing once passed through the hash function. Of course, the stronger the hash function, the less likely it will happen, you will, if you succeed, find the original password.