IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 5.18 Systematic trying-out of passwords
Passwords which are too simple can be found out by systematically trying
them out.
Example:
A study made by Klein (Klein, Daniel V. 1990, USENIX Security
Workshop Proceedings, Portland, August 1990) of 15,000 accounts yielded
a success rate of 24.2 per cent; the following password options were tried
out:
About 130 variations of the log-in name (first and last names) and of other
personal data from the /etc/passwd file; frequent names, names of wellknown
persons, names and places in movies, from sports events and from
the Bible; abusive common invectives/swear-words, and words from
foreign languages; different variations of these words, e.g. changes from
upper and lower case, insertion of special characters and check symbols,
reversing of the sequence of letters, repeated letters (e.g. aaabbb), or
frequent abbreviations (e.g. rygbv for the colours of the rainbow) and pairs
composed of two short words.
All these combinations and more can be tried out by any user of the UNIX
system in which the password file is freely accessible, using the crack PD
program. Moreover, for passwords that are too short, it is highly probable that
the password can be found out by systematically trying out all combinations.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000