Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Fri, 16 Oct 2009 12:22:19 -0500
Matthew Gracie wrote:
Matthew Wollenweber wrote:Generally speaking, most brute force programs, dictionaries, and cracking software are well suited to the rules Randy cited: "a) 8-16 characters b) upper/lower case c)at least 1 numeric d) at least 1 special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are very common examples of how most people tend to cluster "complex" rules into easily guessable permutations. I tend use truly random passwords from a generator or those similar in style to what Don mentioned. -MattOccasional brute force audits aren't a bad thing. If you're using LDAP central auth, just take a dump from it and run John against it for a weekend. You'll be amazed how many cracks you get, even with the default dictionaries. I do this every month or so and sent out "you've got a weak password!" emails to everyone that gets cracked. And I'm so proud when they call me to confirm that I really sent the message. :) --Matt
<chuckling to self> you're doin' it right, Matt! -- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)