Re: Stats re: passwords

[Ken Connelly <Ken.Connelly () UNI EDU>]

Matthew Gracie wrote:
> Matthew Wollenweber wrote:
>
> > Generally speaking, most brute force programs, dictionaries, and
> > cracking software are well suited to the rules Randy cited: "a) 8-16
> > characters b) upper/lower case c)at least 1 numeric d) at least 1
> > special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are
> > very common examples of how most people tend to cluster "complex"
> > rules into easily guessable permutations. I tend use truly random
> > passwords from a generator or those similar in style to what Don
> > mentioned.
> >
> > -Matt
>
> Occasional brute force audits aren't a bad thing. If you're using LDAP
> central auth, just take a dump from it and run John against it for a
> weekend. You'll be amazed how many cracks you get, even with the default
> dictionaries.
>
> I do this every month or so and sent out "you've got a weak password!"
> emails to everyone that gets cracked. And I'm so proud when they call me
> to confirm that I really sent the message. :)
>
> --Matt
<chuckling to self>   you're doin' it right, Matt!

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373