Educause Security Discussion mailing list archives

Re: Please do not change your password

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 15 Apr 2010 20:43:52 -0500

Heck, Alec Muffet's cracklib was on to that strategy in the mid-90s...  

I used to run cracklib with a modest set of English language dictionaries linked into passwd as an admission quality 
check, would have people complain that it wouldn't accept their password candidates, and I could never have predicted 
why it'd reject their passwords, but they were being failed on input, so there's no reason it wouldn't have failed as a 
test against a hash, or a brute-force, and so... people had to pick something different.

From several conversations I've had of late, though, the state of this particular art seems to have submerged below 
the general consciousness, so it's probably worth mentioning again.

    -jml

-----Original Message-----
From: Alex Keller
Sent: 2010-04-15 17:51:08
To: Alex Keller;SECURITY () LISTSERV EDUCAUSE EDU
Cc: 
Subject: Re: [SECURITY] Please do not change your password

re: Now apply the rules which were discussed an you come up with
something like:

 Ny_G1@nts

I used to recommend this same technique until I discovered that many of
the more modern hybrid dictionary/brute force password guessing tools
can be easily configured to check for common obfuscation substitutions:
@ for a, 1 for i, 3 for e, $ for s, etc.

best,
alex

-- 
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu

On 4/15/2010 10:46 AM, Don Cochran wrote:


In our course we teach the learner to choose an easy to remember, but
hard to guess password and suggest that a password such as your
favorite football team would be a good choice.

 

We then teach them how to apply a couple easy to follow rules….after
discussing and showing them an example.

 

Ex: New York Giants…pretty easy to remember, huh?

 

Now apply the rules which were discussed an you come up with something
like:

 

Ny_G1@nts

 

At least 8 characters long, and a mix of cap and non-cap letters,
numbers and special characters.

 

Don Cochran                                  

Director, Business Development

SCIPP International

1964 Gallows Road, Suite 320

Vienna, Virginia 22182

United States of America

 

+1 703.637.4422 (Direct)

+1 703.599-0666 (Cell)

+1 703. 637-4371 (Fax)

www.SCIPPinternational.org <http://www.SCIPPinternational.org>

 

Ansi100x100.jpg           */SCIPP International/*

*/"The Security Awareness Certification Company"/*

Current thread:

Re: Please do not change your password, (continued)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Allison Dolan (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Paul Kendall (Apr 15)
- Re: Please do not change your password Bob Bayn (Apr 15)
- Re: Please do not change your password Valdis Kletnieks (Apr 15)
- Re: Please do not change your password Don Cochran (Apr 15)
- Re: Please do not change your password Steve Werby (Apr 15)
- Re: Please do not change your password Alex Keller (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Tom Talley (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)

(Thread continues...)