Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Fri, 16 Apr 2010 12:45:03 -0400
Koerber, Jeff wrote:
I agree. If I can get a list of usernames and know the name of the organization and the password strength policy, I could come up with a few likely passwords and try them against every account. Chances are that I will come across at least one account with that password. The accounts will never get locked out.
Here's a fun auditing exercise - assuming that your organization uses some sort of standard schema for generating initial passwords, write a wordlist and a rule for John the Ripper or something similar that tests that specific schema. Prepare to be amazed as you realize what a tiny fraction of users ever change their passwords. Ever. --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator graciem () canisius edu Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)