Educause Security Discussion mailing list archives
Re: Please do not change your password
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 15 Apr 2010 20:43:52 -0500
Heck, Alec Muffet's cracklib was on to that strategy in the mid-90s... I used to run cracklib with a modest set of English language dictionaries linked into passwd as an admission quality check, would have people complain that it wouldn't accept their password candidates, and I could never have predicted why it'd reject their passwords, but they were being failed on input, so there's no reason it wouldn't have failed as a test against a hash, or a brute-force, and so... people had to pick something different.
From several conversations I've had of late, though, the state of this particular art seems to have submerged below the general consciousness, so it's probably worth mentioning again.
-jml -----Original Message----- From: Alex Keller Sent: 2010-04-15 17:51:08 To: Alex Keller;SECURITY () LISTSERV EDUCAUSE EDU Cc: Subject: Re: [SECURITY] Please do not change your password re: Now apply the rules which were discussed an you come up with something like: Ny_G1@nts I used to recommend this same technique until I discovered that many of the more modern hybrid dictionary/brute force password guessing tools can be easily configured to check for common obfuscation substitutions: @ for a, 1 for i, 3 for e, $ for s, etc. best, alex -- Alex Keller Systems Administrator Academic Technology, San Francisco State University Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu On 4/15/2010 10:46 AM, Don Cochran wrote:
In our course we teach the learner to choose an easy to remember, but hard to guess password and suggest that a password such as your favorite football team would be a good choice. We then teach them how to apply a couple easy to follow rules….after discussing and showing them an example. Ex: New York Giants…pretty easy to remember, huh? Now apply the rules which were discussed an you come up with something like: Ny_G1@nts At least 8 characters long, and a mix of cap and non-cap letters, numbers and special characters. Don Cochran Director, Business Development SCIPP International 1964 Gallows Road, Suite 320 Vienna, Virginia 22182 United States of America +1 703.637.4422 (Direct) +1 703.599-0666 (Cell) +1 703. 637-4371 (Fax) www.SCIPPinternational.org <http://www.SCIPPinternational.org> Ansi100x100.jpg */SCIPP International/* */"The Security Awareness Certification Company"/*
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
(Thread continues...)