Apart from using Trojans, hackers must first obtain the password of the system administrator to fully control a system. Password security is a common topic. However, Chinese security awareness, especially password security awareness, is worrying! So I have to discuss password security issues here.
As a result, I had nothing to worry about one day, and I tried to perform a random security check on my network segment. Hangs the security detection tool X-scan (which is a hacker tool in the hands of hackers. Hey. ^_^) For a simple NT-Server weak password scan.
Over 20 minutes later, the detection was completed, and the results were astonishing! See:
A total of 254X255 IP addresses are detected. Filter the results and make a rough statistics. More than three hundred hosts have weak NT passwords! This situation is worrying! But what surprised me more is that this scan only uses the simplest password dictionary that comes with the x-scan2.3 itself! The dictionary is not extended at all. This hacker dictionary is so magical that it can crack the passwords of so many people? Let's take a look at its true nature:
It is necessary to make some simple parsing. The % username % in the dictionary indicates that the password is the same as the user name, and % null % indicates that no password exists. % Username % 123 indicates that the password is followed by 123. If the user name is user, the password is user123. How is it? Is your password already in the hands of hackers? Surprised? This is the simplest dictionary for common hacking tools! I roughly looked at the scan results. The most frequent weak password is a blank password, followed by the 123456 password and the password is the same as the user name. Such a simple password dictionary can find many victims! Wake up!
So far, is your password security awareness patched? Next let's talk about the most important part-how to set a strong password.
The most difficult password for hackers to crack is a 7-digit password that contains uppercase and lowercase letters, numbers, and symbols without any obvious rules. For example, a password similar to "[hB5r0n. On this machine, I tested the strength of the most powerful Windows brute force tool LC4. The process is as follows:
1. Change the password of the system administrator to [hB5r0n, and set the password of other users to null.
2. (See) set the brute force password cracking tool LC4 to brute force cracking and use all the numbers, letters, and symbols on the keyboard.
3. (See) It takes about three months to successfully crack the "[hB5r0n" password !!!
This is just a local attack. It takes longer to perform remote cracking through the network due to the impact of network speed. Haha ....... If any hacker is patient, let him break it. :)
In addition, considering the number of passwords, the seven-digit password is the safest. This involves how some advanced brute force password cracking tools work. However, in terms of popularity, we can resolve this issue: when some brute force password cracking tools with higher intelligence crack passwords that have more than seven digits, they will take the first seven digits as one segment to crack, if the number is less than seven characters, the password segment is broken again. If the number is more than seven characters, the password segment is split by seven characters. The horror is that when it breaks a section, it will calculate the uncracked part based on the cracked part based on some links between the passwords, thus greatly speeding up the cracking process! That is to say, the more than seven passwords only indirectly provide clues for them to quickly crack the entire password! Hey! Do not think that the longer the password, the safer it is. Pai_^
Of course, you may say that you are only a common user. For convenience, you do not need such a strong password. To ensure password security, follow the following principles:
General rules: Try to make it difficult for others to guess!
1. Do not use regular passwords, such as 123456 in the x-scan dictionary above.
2. Do not use your pinyin name or common English name as the password. Some hacker dictionaries use Pinyin names and Common English names as passwords.
3. Do not use your birthday password. Birthday dictionaries are more common in hacker dictionaries.
4. Do not use meaningful English words.
5. Do not use symmetric passwords. For example! Dfe! For some brute force password cracking tools, this is three digits for your password!
6. The password number should preferably be seven digits, and the minimum password number should not be less than six digits.
7. Try to use the internal symbols in the keyboard layout when using symbol characters, such as ()-+ |. Use fewer images! @ # $ % ^ & And other peripheral symbols. Take advantage of the Space key special character!
8. Change your password occasionally. The above LC4 cracking example provides us with an inspiration: as long as there is enough time, no matter how powerful the password will eventually be cracked! Therefore, it is necessary to change your password occasionally. Generally, it is better to keep the password for no more than one month.
If you do the above, your password will be safer. In addition, it is easy to ignore that Windows or later MS requires the Administrator password during installation. It is best to set a password for it during installation. Many of the above weak NT passwords detected by the author are empty in Administrator! This must be highly valued!
Password security is definitely not a technical issue, but an issue of consciousness! I hope that the majority of Internet users will be able to improve their awareness of password security, and use some password setting techniques as appropriate. I believe most hackers will be able to reject you! Pai_^