When I choose passwords for my accounts (be it FTP, email, SSH, mySQL, etc.), I choose 8+ character combinations of upper/lower letters, numbers and symbols. One thing I've noticed is that when users email in about a problem, they have changed the password to something a drunk monkey could accidentally type, like:

Eye doctor site:
username: Bill
password: eyedoc

Someone just emailed me with an email problem and her password was "cat". Her damn site is all about friggin' cats!

The reason I posted this in Fraud, Abuse, & Security is that I wondered if anyone ever had a box cracked due to users like this. Obviously there's a risk of the site being taken down, but beyond that...

"cat" :rolleyes: is not a password!

Edit: She doesn't have SSH access, so hopefully the amount of damage would be limited to her site. I think.

OMG YES! This is a huge problem.

I cannot believe the number of people with extrememly simple passwords and absolutely no regard for the security of even their own accounts.

A few weeks ago I had a customer who sent me an email claiming "Your server has been hacked and all of my stuff is messed up!" It ended up being his own site that was compromized, he used the same password as his username and he used his username publicly in the forum he ran. Needless to say it took a bit of work to send my response to him and explain that it was only his site that was affected and that is when he came clean saying something to the effect of "It never seemed important."

Funny thing, the account transferred to another provider recently because of bandwidth charges he thought were unfair and in his forums he continued to talk the talk that is was "my" server that was hacked and he was leaving to get away and that we could shove our underground servers up our arse. Ego's can really be annoying some times. :bowdown: And all this after I painstakenly went through two day old backups to restore his site. Grrrr.

:uzi: :soapbox: :crazy: :splat:

Yes, we also experience this issue, and I'm pretty sure every web host/company who deals with customers who have a username/password have this issue. As DizixCom stated the dead on give away example, we've also had a few of these. Some examples of bad passwords w/ usernames:

Username: george
Password: bush

Username: cat
Password: dog

and so on...

Our systems do not allow all lowcase passwords...They must be MiXeD characters. Mabye have your admins write new password scripts to prevent all lowercase.

usually i have different passwords, maybe long, maybe short. I usually get them from funny quotes.. :)

I used to be on one host and they just changed the permissions on the passwd file. If you wanted to change you password, you had to submit it to them first (for idiot checking).

Another host ran crack/john the ripper. If they could crack your password, you had something like 48 hours to change it or they locked the account.

Both are somewhat extreme, but not totally bad ideas.

Frank

Really, that is extream.. :)

locking passwd was a bit extreme, but I like the idea of running cracker/john the ripper. If someones account can be broken into, that has the potential of bringing the whole server down.

That's not good for the customers or the business.

Frank

Originally posted by ffeingol
locking passwd was a bit extreme, but I like the idea of running cracker/john the ripper. If someones account can be broken into, that has the potential of bringing the whole server down.


Its all in the delivery, if you explain to customers that this is being done for their benefit and for the protection of their site and all the other sites on the server, they will probably be more understanding (MOST OF THE TIME).

If worse comes to worse, tell them it is a Homeland Security Issue :D.

Originally posted by allan
If worse comes to worse, tell them it is a Homeland Security Issue :D.
Be sure to mention the buzz phrase, "Weapons of mass destruction..."

Actually, the host that did this explained it very clearly in their welcome letter. It was stated that they ran a password cracking program and that if they could crack it, it would need to be changed withing x hours or the account would be locked.

They were not "cancelling" your account. You simply had to contact their support staff to get the password reset.

As a client on a shared hosting server, this did give me a warm-fuzzy. You don't want some bozo with an easy password bringing down the whole server.

Frank

Originally posted by ffeingol
Actually, the host that did this explained it very clearly in their welcome letter. It was stated that they ran a password cracking program and that if they could crack it, it would need to be changed withing x hours or the account would be locked.


Welcome letter, who reads those :D?

Originally posted by allan
Welcome letter, who reads those :D?

LOL...you got that right!! :D

Yeah, I have noticed that many of the first questions people ask were answered in the welcome letter, so apparently nobody reads it beyond their FTP username and password.

Welcome letters, They are long and contain stuff that is important.. Hehe. O well, i just get a support ticket on the stuff, I need them :)