Educause Security Discussion mailing list archives
Re: Please do not change your password
From: Steve Werby <smwerby () VCU EDU>
Date: Fri, 16 Apr 2010 13:30:31 -0400
I've done what Jeff described and with enough users it's not hard to guess passwords that are used by multiple people. And if they're a somewhat homogeneous group, it's even easier. For university students, take variations of the school name/nickname/mascot, school city name, cities where many students are from and most popular local/regional pro sports teams and I bet you'll guess the passwords for some users. Then move on to popular passwords, like the top passwords disclosed in the RockYou compromise of 32 million accounts. Depending on your password policy, you may have to do some number/symbol injections or substitutions, but there are tools that can do that for you. I analyzed the RockYou password file. You'd just need to enumerate 2,000 strings to acquire the passwords for 4.7 million of the 32 million users. I posted some highlights from the top 2,000 here if you're interested. http://justifiableparanoia.com/blog/2010/02/22/we-will-we-will-rockyou-a-list-of-firsts/ -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf On 4/16/2010 12:45 PM, Matthew Gracie wrote:
Koerber, Jeff wrote:I agree. If I can get a list of usernames and know the name of the organization and the password strength policy, I could come up with a few likely passwords and try them against every account. Chances are that I will come across at least one account with that password. The accounts will never get locked out.Here's a fun auditing exercise - assuming that your organization uses some sort of standard schema for generating initial passwords, write a wordlist and a rule for John the Ripper or something similar that tests that specific schema. Prepare to be amazed as you realize what a tiny fraction of users ever change their passwords. Ever. --Matt
Current thread:
- Re: Please do not change your password, (continued)
- Re: Please do not change your password Eric Case (Apr 15)
- Re: Please do not change your password John Ladwig (Apr 15)
- Re: Please do not change your password Geoff Nathan (Apr 16)
- Re: Please do not change your password Allison Dolan (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Valdis Kletnieks (Apr 16)
- Re: Please do not change your password Tonkin, Derek K (Apr 16)
- Re: Please do not change your password Koerber, Jeff (Apr 16)
- Re: Please do not change your password Eric Case (Apr 16)
- Re: Please do not change your password Matthew Gracie (Apr 16)
- Re: Please do not change your password Steve Werby (Apr 16)
- Re: Please do not change your password Kevin Kelly (Apr 16)
- Re: Please do not change your password Russell Fulton (Apr 17)