
Don't use 1234 as your password - floorlamp
http://nortonwang.com/2013/11/dont-use-1234-as-your-password/
======
dangrossman
The very first time I tried Linux, after spending an entire day downloading
Slackware, copying it to a set of install diskettes, partitioning a hard drive
and installing it, I set my root password to "12345".

I was around 10 at the time, 1995 plus or minus a year or two.

After booting for the first time, I dialed up AOL and logged on to a Linux-
topic IRC channel. I talked to the strangers there about how excited I was to
try Linux for the first time.

I quit my IRC client and typed "ls". Command not found. I tried "uptime".
Command not find. "cd". Command not found.

While I was on IRC, someone had telnet'd in, guessed my stupidly simple
password, and rm -rf'd the whole hard disk. I cried over breaking the computer
and had to be consoled by my parents. I never used a common password again.

I now miss the days when hackers and viruses alike just wanted to delete your
files or print messages on your screen. Secretly taking over your still-
functioning system is much nastier.

~~~
bobf
I had a similar experience around the same age and year, except it was with
FreeBSD. I got it to boot once, then tried to change the bootloader setup to
allow dual booting with the existing MS-DOS 5.x installation. You can imagine
how well that went, as a 10 or 11 year old with no previous FreeBSD/Linux
experience. My parents were not quite so understanding about why I had broken
their $3000+ computer and lost all their files. It took a few days, but I
eventually managed to fix the MBR by reinstalling MS-DOS. Imagine my surprise
when I booted into MS-DOS and found out that the files were still there!

~~~
saiko-chriskun
LOL I did the exact same thing with my parents' computers back then >:D

------
PhasmaFelis
I'm pretty sure, based on that post, that you have a fair bit more system
administration experience than I do, which makes the whole thing even more
boggling.

I feel like a professional auto mechanic is telling me, all serious-like, that
he just learned the hard way why you shouldn't try to drive while running
alongside your car, reaching through the window to work the steering wheel,
with a brick on the accelerator.

~~~
bdunbar
It takes a real professional to admit when he's screwed up.

Or.

The more skilled one is, the more confident one is that he can do dumb things
and get away with it.

------
kristopolous
I found a 68K SGI Iris 2400 machine up and running in college in about 2004.
It had a sticker with the hostname on it. Later on that week, I went to the
department homepage, got the staff roster and tried to guess the usernames.

I telnetted to port 25 and tried RCPT TO hypothesized names, like so

    
    
        $ telnet host 25
        MAIL FROM: a@a.com
        250 Sender OK
        RCPT TO: afranks
        550 Recipient not found
        RCPT TO: arty.franks
        250 Recipient OK

...

With this list of usernames I logged into the FTP to try to guess trivial
passwords:

    
    
        $ telnet host 21
        USER arty.franks
        User OK
        PASS 1234
        Login failed
        PASS password

...

Eventually I got a valid username/password combo.

Now I can just telnet <host> and log in. I got a line like this:

    
    
        Last login April 12, 1992.
        $
    

It had this ancient version of IRIX on it, a hard drive under 100 MB, no X, a
version of egcs, some ancient version of perl, no bash, and I think 12MB of
RAM?

It was fun, but I didn't know what I wanted to do with it. We executed this
attack from the school library. Putz'd around a bit, in amazement of how old
it was, and that it was still online, and then logged out - never to return.

[https://www.youtube.com/watch?v=9EEY87HAHzk](https://www.youtube.com/watch?v=9EEY87HAHzk)
\- a video of the machine

~~~
mikeash
If you still had access today, it would be a perfect platform for Bitcoin
mining.

~~~
mhurron
Did you not see those specs? Or is it that for some strange quirk of something
my Iris is a great money making machine?

~~~
sp332
Well if you're not paying for it, it's still 100% profit :)

~~~
300bps
What's 100% of 0?

------
Tomdarkness
Quick and simple solution. If you are only using key based logins then just
disable password SSH logins, add:

    
    
      ChallengeResponseAuthentication no
      PasswordAuthentication no
      UsePAM no
    

To your sshd config and then you don't need to worry as much about if one of
your accounts has a password of 1234.

~~~
sp332
If _any_ of your accounts get compromised, a simple su to the account with a
weak password will give them everything. It's a big improvement, but the weak
password is still a vulnerability.

------
D9u
Why not disable password logins completely, use PKI for all connections, and
while we're at it, restrict logins to known hosts?

Also, don't use passwordless keys.

Then there's moving sshd off of port 22 to provide some obscurity.

Yada yada yada... How many times will we have to go over this subject?

~~~
dredmorbius
Is there any way server-side to determine if a key is passwordless or not?

~~~
dsl
Not from the public key.

~~~
dredmorbius
That's what I thought. It's always struck me as a limitation of the ssh auth
approach. While I can't insist on a _good_ password, I'd like to be able to
insist upon password-protected keys (at least as a default -- exceptions for
some system processes / activities).

------
gensym
That's amazing. I've got the same combination on my luggage!

~~~
vezzy-fnord
No, no. It was 1234 _5_. An extra bit of security.

~~~
foobarian
Pardon me, but 12345 is 3 extra bits.

~~~
GhotiFish
explain.

~~~
vezzy-fnord
He's right. Decimal 5 is binary 101, hence 3 bits.

I wasn't literally referring to data bit, though. But he has a point.

~~~
joe_inferno
yeah, that's not why, but good enough I guess.

------
morgante
Duh... honestly, what are you doing anywhere near Digital Ocean if you'd
_ever_ use 1234 as a password?

~~~
floorlamp
Being lazy.

~~~
tuananh
why not using authentication key if he's lazy !?

------
perlpimp
Use key based authentication in SSHd and do away with password authentication
scheme, well you should put password on your private key but that should cover
just about every password cracking case.

------
hobs
Also, fail2ban is a useful thing in this instance. But if your password is
1234... what's the deal with that?

~~~
gamegoblin
One of the first commands I type into a new VPS:

    
    
        sudo apt-get install fail2ban
    

I remember when I got my very first VPS, and within a couple of days I was
getting a really long bruteforce where the attacker tried every common name
"aaron, adam, alex, etc" and around 120 common passwords for each of them
(fortunately my text-based password on that VPS was 41 characters). I think
they tried a few thousand usernames total. That's when I realized the internet
is a scary place, and now I only use RSA keys.

~~~
foobarian
All our workstations at school had static, publicly routable IP addresses. I
never got hacked, thankfully, but I still found out about the pervasive ssh
bruteforcing fairly quickly. The brute-forcing bots apparently were rate
limited to once per second. Since each failed attempt gets logged to disk,
this resulted in a faint, periodic "grrrt" sound. It's hard to describe how
incredibly annoying this was while sitting next to the machine; certainly
annoying enough to figure out what was causing it :-)

------
purringmeow
You just reminded me I need to check my VPS, although I am not using a simple
password :(

EDIT: It seems that leaving your VPS unattended for a month is a bad idea. I
can't login, because the server terminates the connection immediately and the
passwords for the host's backend is changed. Great!

------
DigitalSea
How about a password like this? 1|2|3|4 or 1!2!3!4 — probably not nearly as
guessable and more secure. But yes, not using 1234 as your default password
for anything is sound advice that everyone should know.

~~~
dsl
I've added both to my list of passwords for pentests. Thanks.

------
krrishd
This title is perfect for the 4chan thread.

------
pantalaimon
The same happened to us when someone added a user 'test123' with the password
'test', just to… test something locally, totally forgetting that it would also
permit access via ssh.

------
geoffbp
sshdautoban is useful for preventing ssh brute force attacks - hosts.deny ban
for any ip address with 5 failed connections in less than 15 secs

------
brownbat
Alright, I'll bite. Why did the attacker mine primecoin (rather than bitcoin,
or any of a dozen other cryptocurrencies)?

~~~
timpattinson
Because primecoin is easier to mine because of the difficulty rate

~~~
vbuterin
More precisely, Bitcoin mining is dominated by specialized hardware (ASICs),
so non-specialized computers have almost zero impact or revenue potential in
the Bitcoin network. Litecoin and Primecoin are less ASIC-friendly, so
ordinary computers stand a better chance at actually finding a block because
they don't have the massively overpowered competition.

~~~
brownbat
I guess the better question is why not Litecoin.

Or if you're going for something really obscure, why not Junkcoin?

I guess PrimeCoin is in 6th in capitalization... maybe it's in that sweet spot
of not overly competitive but still capable of retaining some value:
[http://coinmarketcap.com/](http://coinmarketcap.com/)

------
rasengan
You are very lucky that the hacker didnt' take precautionary steps to edit
scripts/hide their activities.

------
rakoo
>Why I stopped [perfectly fine activity]... and why you should too

------
GnwbZHiU
I usually use 'password' or 'pa55w0rd' :)

