Educause Security Discussion mailing list archives

Re: Please do not change your password

From: Steve Werby <smwerby () VCU EDU>
Date: Fri, 16 Apr 2010 13:30:31 -0400

I've done what Jeff described and with enough users it's not hard to
guess passwords that are used by multiple people.  And if they're a
somewhat homogeneous group, it's even easier.  For university students,
take variations of the school name/nickname/mascot, school city name,
cities where many students are from and most popular local/regional pro
sports teams and I bet you'll guess the passwords for some users.  Then
move on to popular passwords, like the top passwords disclosed in the
RockYou compromise of 32 million accounts.  Depending on your password
policy, you may have to do some number/symbol injections or
substitutions, but there are tools that can do that for you.  I analyzed
the RockYou password file.  You'd just need to enumerate 2,000 strings
to acquire the passwords for 4.7 million of the 32 million users.  I
posted some highlights from the top 2,000 here if you're interested.
http://justifiableparanoia.com/blog/2010/02/22/we-will-we-will-rockyou-a-list-of-firsts/

--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf

On 4/16/2010 12:45 PM, Matthew Gracie wrote:

Koerber, Jeff wrote:

I agree.  If I can get a list of usernames and know the name of the
organization and the password strength policy, I could come up with a
few likely passwords and try them against every account.  Chances are
that I will come across at least one account with that password.  The
accounts will never get locked out.

Here's a fun auditing exercise - assuming that your organization uses
some sort of standard schema for generating initial passwords, write a
wordlist and a rule for John the Ripper or something similar that tests
that specific schema. Prepare to be amazed as you realize what a tiny
fraction of users ever change their passwords. Ever.

--Matt

Current thread:

Re: Please do not change your password, (continued)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)