Sniffing Passwords is Easy

Sniffing Passwords is Easy.

From InfoWorld:

She said about half the hotels use shared network media
(i.e., a hub versus an Ethernet switch), so any plain text password you
transmit is sniffable by any like-minded person in the hotel. Most
wireless access points are shared media as well; even networks
requiring a WEP key often allow the common users to sniff each other's
passwords.

She said the average number of passwords collected in an overnight
hotel stay was 118, if you throw out the 50 percent of connections that
used an Ethernet switch and did not broadcast passwords.

The vast majority, 41 percent, were HTTP-based passwords, followed
by e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percent were
composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types.

As a security professional, my friend often attends security
conferences and teaches security classes. She noted that the number of
passwords she collected in these venues was higher on average than in
non-security locations. The very people who are supposed to know more
about security than anyone appeared to have a higher-than-normal level
of remote access back to their companies, but weren't using any type of
password protection.

At one conference, she listened to one of the world's foremost Cisco
security experts as his laptop broadcast 12 different log-in types and
passwords during the presentation. Ouch!

I am interested in analyzing that password database. What percentage
of those passwords are English words? What percentage are in the common
password dictionaries? What percentage use mixed case, or numbers, or
punctuation? What's the frequency distribution of different password
lengths?

Real password data is hard to come by. There's an interesting research paper in that data.   [Schneier on Security]

Leave a comment