Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Password Policy in 'After Snowden" World

News Authentication and Accounts Security Notes on Passwords Policy

Recommended Links

Selected PAM Modules Writing Passwords Down Reference
PAM wheel SecurID   Stanford 2004 Compromise History Humor Etc

"After Snowden" world means that some of sophisticated methods used by NSA will inevitably trickle down to criminals.  There is a terrible rule of war: whatever new weapon that you introduce onto the battlefield, your adversary will eventually acquire it as well. That means that now there is a bigger danger for our financial accounts and such as wee as real necessity in two factor authentication in corporate environment. Actually even in our private lives banks and other financial institutions that do not use two factor authentication for their Web portals are better to be avoided.

There are multiple useful techniques of generating strong passwords, but limiting IP space from which user can login to the account is probably the more productive security measure then too much zeal in in ensuring strong password policy.  Another key measure that can defeats password cracking attempts is limiting the number of unsuccessful logins allowed. Don't set it too low (seven is OK, three is way too low and for a large organization might produce avalanche of helpdesk tickets). 

As for useful set of ideas about strong password see for example Microsoft recommendations in Strong Passwords. In the most cases that simply means: length > 6,  no dictionary word, combination of letters and numbers, combination of upper and lower case and at least one punctuation mark. In other words using 100 symbols dictionary instead of 34 (24+10) which would be if only lowercase letters (a-z) and digits(0-9) only are used. And there is a big difference between 328 and 1008 

But even weak passwords such as common dictionary words require for cracking several attempts which make that trick very difficult, if not impossible without stealing the password file, the feat that requires root access on modern Unix computers.  This is because number of tries for login in most case is limited to single digits. If you add to this protection by IP them even weak passwords are strong enough. For example, Fidelity did not went out of business despite the fact that they use purely numeric passwords for the accounts (to make possible to use them when calling by phone).  Many other "second rate" (technology wise) firms disallow using delimiters in passwords in thier Web portals. Actually the state of  authentiation security of many financial Web portals is cause of some concern. 

Another important fact is that power and usefulness of password crackers are greatly over hyped. First of all if password is checked for strength by OS (and in the most simple case that means, length > 6,  no dictionary word, combination of letters and numbers, combination of upper and lower case and at least one punctuation mark)  without some additional information to crack it on regular computers requires too much time making it next to impossible if number attempts is limited to say 7.

Before Snowden, I used a pretty simple 6 symbol password on most systems. Still cracking it without some knowledge of the composition requires years of work: 6100 is a pretty big number, bigger then classic 264 (of famous chess fable fame).   But now I am paranoid and try to use AOL-style passwords of considerable length, different for each server.

Let me stress it again -- unless you manage to steal the shadow file from some server, it's impossible to apply cracker to the system: in most modern system stream of unsuccessful login attempts will be detected; most systems also block account after five, seven, or eleven or so attempts (although it might be better to block IP from which attempts are coming). Of course many just Web portal implementation do not use Unix scheme and store passwords explicitly but that's another problem. Any system in which authentication is written in a right way should not store the real password only an encryption with this password of some predefined string (and, due to this password can't be restored, only reset to anew randomly generated one, if reset is done authomatically).

If reset is done automatically it relies of the set of questions and this is considerable weakness as people ten to be truthful in this replies on those question. that means that such information can often be deducted from their Facebook page or other social media sites. And it is not easy to instruct user not to give "truthful" answers and pretend that they are other person (for which answers are true -- one level of indirection)

In Unix environment in order to read shadow file you usually need to be root or to have a physical access to the server (and a possibility to reboot it). In such case the only way cracking passwords can be useful is the fact that many users use the same password on multiple sites. In after Snowden world this is big no-no.

At first sight it's look like a pure idiotism to reuse cracked accounts for attacking other servers. But it is not. Users and sysadmins often have the same password on multiple servers; and in "after Snowden" world this is a very bad idea -- you need to have some algorithm of individualization of passwords for each account you have -- no more any two identical passwords can be used.  Now this is a must.

Users and sysadmins now should never use the same password on multiple servers; in "after Snowden" world this is a very bad idea -- you need to have some algorithm of individualization of passwords for each account. This is a must in "After Snowden" world.  On Unix servers recommended minimum password length now should be no less then 10 or even 12, which of course if achievable only by adopting of "binary-words" AOL-style scheme of creation passwords or something similar.

The primary legitimate purpose of Unix password crackers is to detect and eliminate weak user passwords but even this task is dubious: if system is configured to disable account, say for an hour after seven unsuccessful attempts, then even weak password can withstand most of the attacks. But still due diligence is not a bad strategy.

It's important to understand that "realistic" cracking scenario requires access to the password hashes and a very fast computer or better a computer farm. In most modern Unix systems (HP-UX is a notable exception) shadow files that contain password hashes are readable only by the root user.  In a way, the introduction of shadow file devalued the importance of crackers. Still if hashes can be intercepted (for example if NIS is used) crackers can be used against them.  

Length of password is now a very important parameter that by-and-large determine the security of your account (and difficulty of  cracking): longer passwords can be constructed only as multiword (phase) passwords, and they usually cannot be cracked in a reasonable amount of time even if all words are dictionary words.  Passwords that consist of more then one word also defeat the optimization in which all the dictionary in "pre-encoded" using the given algorithms and salt and then simple comparison is used to determining if this word was encoded on not. Also many systems do not use salt -- such systems can be attacked more effectively.

 That means' that it is extremely important ot adopt so called AOL scheme of creation of passwords "AOL scheme": two short words connected with some delimiter (:, -, /, etc).  Like  faKe43-secuR55 or corolla2006@hoboken

Length of password is now a very important parameter that by-and-large determine the security of your account (and difficulty of  cracking): longer passwords usually cannot be cracked in a reasonable time. That means' that it is extremely important ot adopt so called AOL scheme of creation of passords "AOL scheme": two short words connected with some delimiter (:, -, /, etc).  Like  faKe43-secuR55 or corolla2006@hoboken

Brute force attack on password longer then 6 characters is rarely successful (unless done in three letter agency), especially if AOL scheme of generating long password using two short words with one or several delimiters between them. That's why it makes sense to enforce practices that help to create stronger passwords and first of all to limit the minimal password the length to at least 8. But even more important is to check the complexity of the password. As I mentioned above the simplest complexity ensuring scheme checks for the following five criteria of strong password:

  1. Length > 15, 
  2. No dictionary word,
  3. Combination of letters and digits,
  4. Combination of upper and lower case
  5. At least one punctuation symbol or delimiter.

This is especially important for root passwords.  See also Writing Passwords Down for additional recommendations

It is very important to mix upper and lower cases in password: that's measure alone doubles the size of  alphabet and for the 8 character passwords makes brute force attack approximately 256 times longer (2^8).

Enforcing usage of at least one digit and delimited rises the size of alphabet to almost a hundred making password with the length of 8 or more characters immune to brute force attack (1008=1080 which is more then 2240). So cracking in this case is an interesting theme for theoretical discussion, not so much for practice.

So the typical for enterprise environment drive for strong passwords should be navigated with extreme caution. It is very easy to go overboard with this and excessive zeal backfires. Naive Unix administrators who after reading some superficial security book try to enforce a Draconian schemes on unsuspecting users (random passwords or too complex password schemes) usually weaken the security due to unanticipated side effects of such actions. 

If you need military grade security smart card or SecurID is a better way then torturing your users with unreasonable or outright silly demands. For the same reason changing password is less then 90 days is not recommended. If you need shorter periods SecurID or SmartCard is your friends but please do not enforce of users stupid paranoid measures just because you don't understand their consequences. Again limiting IP space for login is much better security measure that should be implemented first.

Recovering lost passwords

If it's the administrator (root) password that is lost, there's almost always a way to bypass OS security by booting from CD and change it after mounting the filesystem (the exact details are depends on Unix flavor. For Solaris the procedure can be found at Solaris root password recovery.)

If you're looking for a way to recover a lost password, in encrypted file the situation is usually pretty grim. . A typical situation is when the archive (zip or rar) or Microsoft document or spreadsheet is encrypted and password is lost.  Here you need to work two ways:

Old Unixes use DEC-based hashing and password are limited to just 8 characters, which is a major disadvantage.  Better, MD5-based hashes that permits passwords longer then 8 characters originated in FreeBSD are now also used in Linux and Solaris 10.  In this case it is strongly recommended that users switched to "AOL scheme": two short words connected with some delimiter (:, -, /, etc).  Like  faKe43-secuR55 or corolla2006@hoboken

From the USENET: "A password should be like a toothbrush. Change it regularly; and DON'T share it with friends."  Elements of good password policy include

Passwords are your main defense against intruders. To protect your system and your data, you must select good passwords, and you must protect them carefully.

Once you've been authenticated, the system uses your ID (and the security information associated with it) to determine what you're allowed to do in the system. The system uses this information to make access decisions. For example, if you try to modify a sensitive file, the system checks your authenticated user ID against the list of IDs representing users who are authorized to read and write the data in that file. Only if your ID appears in that list will the system allow you to access the file. (File access is discussed in "Data Access: Protecting Your Data" later in this chapter.)

Secure systems use your ID to maintain individual accountability–in other words, to keep track of what you're doing in a system, particularly if you're affecting security in any way. If Jack Hacke repeatedly tries to access files he's not authorized to view, the system will know! (The discussion of auditing in Chapter 6, Inside the Orange Book, describes how this tracking works.)

At one time, a system cracker would have to try to guess your password, one password attempt at a time (a so-called brute force attack). Like everything else, this process has been automated. Crackers now use computers to do the guessing. In theory, the longer the password, the longer it takes to try every combination of characters. For example, with a password containing eight random characters, there are 2,800,000,000,000 combinations; even with a computer capable of guessing one million passwords per second (a lot faster than the machine your average cracker is likely to be using!), figuring out the right combination would take an average of forty-five years.

The problem is, users don't select random, or even decently secure passwords, and a cracker doesn't need to figure out your password–any password will do. Unfortunately, users typically pick passwords that are laughably easy to guess–their initials, their childrens' names, their license plates, etc. Studies indicate that a very large percentage of users' passwords can easily be guessed. With the help of online dictionaries of common passwords (English words, names of people, animals, cars, fictional characters, places, and so on), crackers are quite likely to be able to guess a good many of the passwords most people are likely to choose. But if you select a good password (see the hints in the inset), an intruder shouldn't be able to guess it–with or without a dictionary.

Hints for Picking Passwords

If you're allowed to choose your own password, pick passwords that are hard to guess. Here are some suggestions:

The best passwords contain mixed uppercase and lowercase letters, as well as at least one number and/or special character. The password you pick doesn't need to be gibberish. In fact, if it is, you'll be tempted to write it down, defeating the purpose of your careful selection. Some suggestions are:

Your ID is associated with all of the processes you create. In many systems, you can effectively change your identity to that of another user; in traditional, untrusted UNIX systems, for example, you do this with the su command. When you change identity, the system may lose its ability to keep track of who's doing what. In secure systems, the system may still allow you to change identity, but it typically keeps track of your original identity as well, so processes you create are still stamped with your "real" ID.

Systems typically maintain a file containing information about your privileges and characteristics; in some systems, this is called a security profile, an authentication profile, or a user list. Your profile might tell the system what your clearance is (e.g., SECRET), whether you're allowed to change your own password, whether you can log in on weekends, whether you can run backup programs and other privileged programs, and a myriad of other information. In some cases, your profile is in the same file as the password list; in other cases, the information might be kept in separate files. In any case, it's vital that your system protect this information; any compromise can jeopardize the security of the entire system.

One of the important pieces of information that appears in your authentication profile or user list is an indication of what kind of user you are. Most systems support several categories of users, or roles; a typical set includes regular users, a system administrator, and an operator. Highly secure systems may define a security officer as a separate category. Each category of user has specific privileges and responsibilities–for example, specific programs the user can run. The system administrator, for example, may effectively be able to do anything in the system, including overriding or circumventing security requirements. The power of the system administrator is a major issue in secure systems; see the discussion of administrative controls and least privilege in Chapter 5, Secure System Planning and Administration.

Protecting Passwords

Access decisions are the heart of system security, and access decisions are based on passwords, so it's vital that your system protect its passwords and other login information.

Most systems protect passwords in two important ways: they make passwords hard to guess and login controls hard to crack, and they protect the file in which passwords are stored.

Most vendors offer a whole smorgasbord of login controls and password management features that the system administrator can mix and match to provide optimal protection of a particular system. Because these security features are commercially attractive and relatively easy to implement, most systems tend to have a lot of them.

Feature Meaning
System messages Most systems display welcome and announcement messages before and/or after you successfully log in. Some systems allow the system administrator to suppress these messages, because they may provide a clue to an observer as to the type of system being accessed. If an intruder dials in and finds out he's talking to a VMS system, for example, that's a valuable clue.
Limited attempts After a certain number of unsuccessful tries at logging into the system (the number can be specified by the system administrator), the system locks you out and prevents you from attempting to log in from that terminal. Some systems lock you out without informing you that this has happened. This allows for the possibility of taking evasive action–identifying the account as a suspicious one without letting you know you're under investigation.
Limited time periods Certain users or terminals may be limited to logging in during business hours or other specified times.
Last login message When you log in, the system may display the date and time of your last login. Many systems also display the number of unsuccessful login attempts since the time of your last successful login. This may give you a chance to discover that your account was accessed by someone else–for example, by noticing a login in the middle of the night or by noticing a pattern of repeated attempts to log in. If you weren't responsible for these attempts, notify your system administrator right away.
User-changeable passwords In many systems, you're allowed to change your own password at any time after its initial assignment by the system administrator.
System-generated passwords Some systems require you to use passwords generated randomly by the system, rather than relying on your own selection of a difficult-to-guess password. The VAX/VMS Version 4.3 system, and many other systems, ensure that these passwords are pronounceable. Some systems let you view several random choices from which you can pick one you think you'll be able to remember. A danger of system-generated passwords is that they're often so hard to remember that users may tend to write them down. Another danger is that if the algorithm for generating these passwords becomes known, your entire system is in jeopardy.
Password aging and expiration When a specified time is reached–for example, the end of the month–all passwords in the system may expire. The new passwords usually must not be identical to the old passwords. The system should give reasonable notice before requiring you to change your password; if you have to pick a password quickly, you're likely to pick a poor one.

In some systems, the system administrator can respond to a security breach by forcing a particular password, or all passwords, to expire immediately. This controls further access to the system until the damage can be assessed.

The system may keep track of your passwords for an extended period to make sure you don't reuse one that might have been guessed.

Minimum length Because short passwords are easier to guess than long ones, some systems require that passwords be a certain length, usually six to eight characters.
Password locks Locks allow the system administrator to restrict certain users from logging in or to lock login accounts that haven't been used for an extended period of time.
System passwords System passwords control access to particular terminals that might be targets for unauthorized use. Usually a system password must be entered before you enter your individual password.
Primary and secondary passwords Some systems require that two users, each with a valid password, be present to log in successfully to certain extremely sensitive accounts.
Dial-in password Some systems require that special passwords be used to access dial-in lines.

Protecting Your Password in Storage

Every system needs to maintain its authentication data. Typically, valid passwords are stored in a password file. This file typically is accessed only under certain limited circumstances–when a new user is registered, when you change your password, or when you log in and need to be authenticated.

Protection of passwords is extremely critical to system security. Systems commonly use both encryption and access controls to protect password data.

Encryption.
Most systems encrypt the data stored in the system's password file. Encryption (described in Chapter 7) transforms original information into altered information that usually has the appearance of random text. Encryption ensures that even if file security is somehow breached, the intruder won't be able to read the passwords in the file; they'll look like gibberish.

Most systems perform one-way encryption of passwords. One-way encryption means that the password is never decrypted–that is, deciphered into its original form. When the system administrator supplies you with your initial password, it's encrypted before it's stored in the password file. The original password is not preserved, not even in memory. Each time you log in and enter your password, the system encrypts the password you enter and compares the encrypted version with the encrypted password stored in the password file to be sure you've entered a valid password. Remember too that the password is never displayed on the terminal screen.

Access Controls.
Even encrypted passwords might be able to be cracked by a determined foe. Many systems store encrypted password data in files known as shadow password files, which have the most restrictive protection available in the system. In most systems, access is limited to the system administrator, usually by specifying only the administrator's ID in an access control list (ACL) on the file. (See the discussion of access control lists in the next section.)


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Nov 05, 2015] Six Tricks for Using Your Biography to Make Strong Passwords By Brady Dale

Most tips for picking a strong password make it harder, not easier. These tips make it easier.
Oct 25, 2015 | observer.com

Like a lot of people, I cycle through a small collection of passwords that I have been using for a decade or more. This is not the greatest security practice, I admit, but the world is so riddled with requests to log-in in different places and so many of them are so not very important (did you hack my IMGUR account? Oh gee! Did you post something I didn't really say on that Star Wars newsgroup? Heavens!). Security is important, but I get where the guy who posted all his passwords online is coming from.

That said, we understand poorly how vulnerable we are, as two nice guy hackers recently demonstrated to a volunteer grandmother who thought she was too off-line to get hacked. Incorrect.

Err on the side of security. I make passwords that will crush your puny decryption programs, and here's the truth: it's not hard. Most of the advice out there isn't very helpful, though. It makes coming up with passwords sound complicated. "Use four upper-case letters with three lower-case following them and symbols on every third Tuesday." Amirite?

That's intimidating. My tips get you there much more easily.

You have information in your head that easily converts to really strong passwords. You just need to look in the right places.

Here's some examples of stuff you know already that easily converts to strong passwords that you can remember (because you've known it for years):

Any of these ideas make for memorable passwords that will protect you better than "12345" or "password." And while I want to encourage you to use biographical information, ask yourself whether or not it could be easily discovered by looking at your LinkedIn or Facebook profile. Don't use your kid's name, your spouse's name, your birthday, your anniversary or your kid's birthdays.

Also, apparently a lot of you are using "iloveyou." Seriously: how do you live with yourself?

Another helpful property of biographical passwords is that you can write down hints somewhere in ways that you'll know what you mean, but would still make it hard for an adversary.

Take the last example. Your reminder for an account could be a clue like "Graduations." Someone might be able to work it out from there if they were really determined, but it would take time.

For really important accounts, though (your bank accounts, Paypal, Google, Apple, etc.), opt-in to two-factor authentication. Two factor authentication combines your password with some other piece of information that is sent to you. Google has an app for it. Paypal and banks like to shoot you texts or emails. Apple has built it into its latest operating systems, but you need to turn it on (so, turn it on).

I have a confession to make: I once fell for a phishing attack on my Paypal account. I realized what I'd done it as soon as I finished doing it, but it was too late: The hackers got my password. As savvy as I am about these things, sometimes you get caught on a bad day, and you do dumb things. It didn't matter, though. I'd enabled two-factor authentication on my Paypal account. So, when they did try to get in, they didn't have access to my mobile and couldn't see the code Paypal sent me.

See also:

[Jul 16, 2014] Microsoft tells internet users that they are 'better off' reusing old passwords than creating new ones by Chris Green

16 July 2014 | independent.co.uk

Internet users who are sick of endlessly memorising passwords would be much better off reusing the same one over and over, according to surprising research published by Microsoft.

Complex, unique passwords should only be used to access highly sensitive data such as a person's bank account, says the academic paper published by Microsoft Research, the R&D arm of the software firm. Simpler passwords should then be recycled for low-risk websites, the researchers argue.

... ... ...

The savvy web user should make a list of the websites they regularly visit and divide them into sensitive and non-sensitive piles, the paper says, devoting as much brainpower as possible to creating complex passwords for the former and as little as possible to the latter.

... "Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted as a coping mechanism," they write.

"Other strategies to cope with the human impossibility of using strong passwords everywhere without re-use include single sign-on, use of email-based password reset mechanisms, and password managers."

The research was conducted by Dinei Florêncio and Cormac Herley from Microsoft Research and Paul C. van Oorschot from Carleton University in Canada.

[Mar 3, 2005] As Mofei virus has shown we might have some problems with the passwords used on some servers, especially on non-production Windows (for example test) servers.

usage of extremely weak passwords like "password", " admin", "oracle", '111111', etc by administrators can be classified as negligence even if they are used on test/lab servers.

All password should generally consist of two independent parts connected with a delimiter with some part or all enclosed in brackets, for example

[stron-456] or weak-{123} or (nyc)-9/11

that guarantee that password used are not in the any dictionary.

Those who completely lack imagination should probably use cubicle number of the recipient of password or thier own (for example W-2124) of nameplates of their cars but never easily guessable dictionary words or digit sequences that contain the same of sequential digits (like in "111111" or "123456"). We will modify our policies and procedures accordingly, but meanwhile some awareness about this problem might help us to avoid further infections.

Here is the list of passwords that was used by the worm that represents a good list of "extremely weak" passwords that administrators should absolutely avoid.

  • security
  • super
  • oracle
  • secret
  • root
  • admin
  • password
  • passwd
  • pass
  • 88888888
  • 888888
  • 00000000
  • 000000
  • 11111111
  • 111111
  • 111
  • 54321
  • 654321
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • [May 01 2004] PCLinuxOnline

    Nameless writes:

    Passwords that should NEVER be used!

    Strong passwords are your first step in securing your systems. If a password can be easily guessed or compromised using a simple dictionary attack, your systems will be vulnerable to hackers, worms, Trojans, and viruses.

    Trojan, virus, and worm authors have had great success attacking systems with weak and/or default passwords. Take IRC/Flood Trojan for example. McAfee's virus profile states that IRC/Flood has over 120 variants and has infected over 60,000 machines in the last 30 days. IRC/Flood succeeds by checking for 22 different different easy to guess admin passwords (variants vary). Unfortunately, there are a lot more where IRC/Flood came from, W32/Tzet.worm, W32/Random.worm, and W32.HLLW.Gaobot.gen are in the wild just to name three.

    Hackers also have no problem compromising systems with weak passwords. Programs like L0pthCrack for example make the process simple and efficient. Creating a password-cracking dictionary is not even a challenge. Type the words "Creating Password Cracking Dictionaries", without the quotes, in to your favorite search engine. A comprehensive dictionary can be downloaded or created from scratch in short order.

    Below is a list of commonly used weak passwords that should NEVER be used. If any of these passwords look hauntingly familiar and are being used, you need to change the password immediately.

    Alpha Weak Passwords
    A a, A.M.I, A52896nG93096a, aaa, aammii, abc, abcd, academia, academic, accept, access, ACCESS, account, accounting, action, adam, ADAMS, adfexc, adm, admin, ADMIN, Admin, admin2, administrator, Administrator, adminttd, ADMN, admn, adrian, adrianna, adtran, adult, Advance, ADVMAIL, aerobics, alfarome, ALFAROME, ALLIN1, ALLIN1MAIL, ALLINONE, aLLy, ALLy, alpha, AM, AMI, AMI!SW, AMI.KEY, AMI.KEZ, AMI?SW, AMI_SW, AMI~, AMIAMI, AMIDECOD, amipswd, AMIPSWD, AMISETUP, anicust, anon, anonymous, any@, ANYCOM, AP2SVP, aPAf, APL2PP, APPLSYS, APPS, AQDEMO, AQUSER, ARCHIVIST, Asante, ascend, Ascend, asdf, asdfgh, at4400, attack, AURORA$ORB$UNAUTHENTICATED, AURORA@ORB@UNAUTHENTICATED, autocad, AUTOLOG1, Award, award, AWARD?SW, AWARD_SW, awkward
    B BACKUP, BATCH, BATCH1, BATCH2, bbs, bciim, bciimpw, bcms, bcmspw, bcnas, bcnaspw, bell9, BIGO, bin, bintec, BIOS, BIOSPASS, biosstar, biostar, Biostar, BIOSTAR, BLAKE, blue, bluepw, boss, BRIDGE, browse, browsepw
    C c, cablecom, cable-docsis, cangetin, CAROLIAN, cascade, CATALOG, cc, CCC, ccrusr, CDEMO82, CDEMOCOR, CDEMORID, CDEMOUCB, central, CHANGE_ON_INSTALL, changeme, checkfs, checkfsys, checksys, CHEY_ARCHSVR, circ, cisco, Cisco router, CLARK, client, CLOTH, cmaker, CMSBATCH, CMSUSER, CNAS, COGNOS, Col2ogro2, comcomcom, COMPANY, Compaq, Compleri, computer, CONCAT, condo, CONDO, Congress, CONV, CPNUC, CPRM, cr0wmt 911, craft, craftpw, Crystal, CSPUSER, CTX_123, CTXDEMO, CTXSYS, cust, custpw, CVIEW
    D d.e.b.u.g, d8on, daemon, Daewuu, Database, databse, DATAMOVE, Daytec, DBSNMP, DCL, DDIC, death, debug, DECMAIL, DECNET, default, DEFAULT, Dell, DEMO, demo, DEMO1, DEMO8, DEMO8, demos, deskalt, deskman, desknorm, deskres, DESQUETOP, dhs3mt, dhs3pms, diag, diamond, DIGITAL, DISC, disttech, D-Link, dn_04rjc, dni, DS, DSA
    E EARLYWATCH, echo, EMP, enable, eng, engineer, enquiry, enquirypw, enter, ESSEX, EVENT, Ezsetup
    F fal, FAX, fax, FAXUSER, FAXWORKS, FIELD, field, FIELD.SUPPORT, FINANCE, FND, foobar, friend, ftp
    G g6PJ, games, ganteng, GATEWAY, GEN1, gen1, GEN2, gen2, glftpd, gnumpf, god, godblessyou, gonzo, gopher, GPLD, gropher, guessme, guest, GUEST, Guest, guest1, GUESTGUE, guestgue, GUESTGUEST
    H h6BB, hacker, halt, HARRIS, hax0r, HELGA-S, HELLO, hello, HELP, help, HELPDESK, HEWITT RAND, hewlpack, HLT, home, Home, HOST, HP, hp, HPDESK, HPLASER, HPOFFICE, HPOFFICE DATA, HPONLY, HPP187, HPP187 SYS, HPP189, HPP196, HPWORD PUB, hydrasna
    I I5rDv2b2JjA8Mm, ibm, IBM, ibmcel, ihavenopass, ILMI, inads, indspw, INFO, informix, INGRES, init, initpw, install, Internet, IntraStack, IntraSwitch, INTX3, INVALID, IPC, IS_$hostname, ITF3000, iwill
    J j09F, j256, j262, j322, j64, JDE, Jetform, JONES
    K kermit, kiddie, komprie, ksdjfg934t
    L l2, l3, laflaf, lantronix, LASER, LASERWRITER, last, lesarotl, letacla, letmein, LIBRARY, lineprin, LINK, lkw peter, lkwpeter, LKWPETER, Lkwpeter, llatsni, locate, locatepw, login, looker, LOTUS, love, lp, lpadm, lpadmin, lucenttech1, lucenttech2, lynx
    M MAIL, mail, MAILER, maint, maintain, maintpw, man, manager, Manager, MANAGER, MANAGER.SYS, Master, MASTER, masterkey, MBIU0, MBMANAGER, MBWATCH, mcp, MDSYS, me, merlin, mfd, MFG, MGR, MGR.SYS, MICRO, MILLER, mirc, mlusr, mMmM, MMO2, MODTEST, monitor, MOREAU, mountfs, mountfsys, mountsys, MPE, mtch, mtcl, MTYSYS, my_DEMARC, mypass, mypc
    N n/a, naadmin, NAMES, ncrm, NETBASE, NETCON, NETFRAME, NetICs, netlink, netman, NETMGR, NETNONPRIV, NETOP, netopia, NETPRIV, netrangr, netscreen, NETSERVER, NETWORK, NEWINGRES, NEWS, news, NeXT, NF, NFI, NICONEX, nms, nmspw, nobody, noway, NONPRIV, ntacdmax, nuucp
    O OCITEST, oem_temp,op, OP.OPERATOR, operator, OPERATOR, OPERVAX, oracle, ORDPLUGINS, ORDSYS, OUTLN, OutOfBox, owner
    P PAPER, pass, PASS, Pass, passwd, Passwd, PASSWORD, password, Password, pat, patrick, PBX, pc, PCUSER, PDP11, PDP8, PFCUser, PHANTOM, phoenix, piranha, pmd, PO, PO8, poll, Polrty, POST, Posterie, postmast, POSTMASTER, postmaster, POWERCARTUSER, powerdown, PRIMARY, prime, primenet, primeos, primos, primos_cs, PRINT, PRINTER, PRIV, private, prost, PSEAdmin, public, PUBSUB, pw, pwd, pwp
    Q q, Q54arwms, QDI, qpgmr, qsecofr, qserv, qsrvbas, qsvr, qsysopr, quser, qwer
    R raidzone, rcust, rcustpw, RE, read, readonly, readwrite, REGO, REMOTE, replicator, REPORT, RJE, rje, RM, RMAIL, rmnetlm, RMUser1, ro, ROBELLE, ROOT, root, Root, ROOT500, ROUTER, router, RSBCMON, RSX, rw, rwa, rwmaint
    S sa, SABRE, SAMPLE, san fran 8, SAP*, satan, SCOTT, script, scriptkiddie, SECDEMO, secoff, secofr, secret, secure, security, SECURITY, SER, sertafu, server, service, SERVICE, servlet, SETUP, setup, sex, shutdown, signa, SKY_FOX, sldkj754, smile, snake, SnuFG5, software, sp99dd, Spacve, spcl, speedxess, SPOOLMAN, spooml, star, STEEL, STUDENT, su, Super, super, SUPERVISOR, support, SUPPORT, supportpw, switch, SWITCHES_SW, Sxyz, SY_MB, sybase, sync, synnet, SYS, sys, sysadm, SYSADM, sysadmin, sysbin, SYSDBA, SYSLIB, syslib, SYSMAINT, SYSMAN, Sysop, system, SYSTEM, system_admin, SYSTEST, SYSTEST_CLIG, syxz, SZYX
    T t0ch20x, t0ch88, TCH, teacher, tech, technolgi, tele, TELEDEMO, TELESUP, temp, temp1, TEST, test, testing, teX1, tiara, TIGER, tini, Tiny, tlah, topicalt, topicnorm, topicres, Toshiba, toshy99, tour, TRACE, TRACESRV, trancell, trouble, TSDEV, TSEUG, TSUSER, TTPTHA, tutor, TzqF
    U uClinux, UETP, umountfs, umountfsys, umountsys, unix, User, user, USER, USER_TEMPLATE, USER0, USER1, USER2, USER3, USER4, USER5, USER6, USER7, USER8, USER9, USERP, uucp, uucpadm, uwontguessme
    V VAX, VESOFT, Vextrex, VMS, VNC, VRR1
    W WANGTEK, web, WebAdmin, WebBoard, webdb, weblogic, webmaster, win, WINDOWS_PASSTHRU, WINSABRE, winterm, wodj, WOOD, WORD, WP, wradmin, write, www
    X xljlbj, XLSERVER, xo11nE, xp, xxx, xxxx, xxxxx, xxxxxx, xxxxxxx, xxxxxxxx, xxxxxxxxx, xyzall
    Y YES, youwontguessme, yxcv
    Z zbaaaca, Zenith, zeosx, zxcv
    Numeric 0, 1, 1.1, 2, 5, 7, 12, 30, 110, 111, 123, 1111, 1234, 2002, 2003, 2222, 2600, 8429, 12345, 54321, 111111, 121212, 123123, 123456, 166816, 256256, 654321, 1234567, 1322222, 7061992, 11111111, 12345678, 19920706, 22222222, 88888888, 123456789, 1. 1, 1234qwer, 123abc, 123asd, 123qwe, 1RRWTTOOI, 240653C9467E45, 24Banc81, 3098z, 3ep5w2u, 4Dgifts, 4getme2, 4tas, 57gbzb
    Other !@#$, !@#$%, !@#$%^, !@#$%^&, !@#$%^&*, !root, $ALOC$, $secure$, $system, %username%12, %username%123, %username%1234, (none), ?award, }

    Recommended Links

    Softpanorama hot topic of the month

    Softpanorama Recommended

    Top articles

    Sites



    Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: September 12, 2017