Re: Stats re: passwords

[Matthew Gracie <graciem () CANISIUS EDU>]

Matthew Wollenweber wrote:
> Generally speaking, most brute force programs, dictionaries, and
> cracking software are well suited to the rules Randy cited: "a) 8-16
> characters b) upper/lower case c)at least 1 numeric d) at least 1
> special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are
> very common examples of how most people tend to cluster "complex"
> rules into easily guessable permutations. I tend use truly random
> passwords from a generator or those similar in style to what Don
> mentioned.
>
> -Matt

Occasional brute force audits aren't a bad thing. If you're using LDAP
central auth, just take a dump from it and run John against it for a
weekend. You'll be amazed how many cracks you get, even with the default
dictionaries.

I do this every month or so and sent out "you've got a weak password!"
emails to everyone that gets cracked. And I'm so proud when they call me
to confirm that I really sent the message. :)

--Matt

> On Fri, Oct 16, 2009 at 12:48 PM, Chris Kidd <chris.kidd () utah edu> wrote:
> > It depends upon the purpose of the password rules. Are the rules to prevent others from guessing a password? If 
> > that's the case, either approach seems reasonable. However, password requirements should be part of an overall 
> > strategy that includes monitoring, lockouts, etc.
> >
> > Chris
> >
> > Chris Kidd
> > 650 Komas Drive, Suite 102
> > Salt Lake City, UT 84108
> > Office: 801.587.9241
> > Cell: 801.747.9028
> > chris.kidd () utah edu
> >
> > http://www.secureit.utah.edu
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Don 
> > M. Blumenthal
> > Sent: Friday, October 16, 2009 10:43 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Stats re: passwords
> >
> > One person that I know in the security community doesn't believe in password
> > rules like these because they are a pain to type and could be forgotten, if
> > nothing else wrt whether a letter is capitalized or not. Where the system
> > allows long pws, he advocates long, easy to remember sentences, such as
> > IhatestrongpasswordrulesmorethanIhateBrusselssprouts."
> >
> > Don
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
> > Sent: Friday, October 16, 2009 12:14 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Stats re: passwords
> >
> > After reading Alison's note to the list about password rules, I'm sure
> > that for most of us, the following password would be valid under
> > standard password rules of a) 8-16 characters b) upper/lower case c)
> > at least 1 numeric d) at least 1 special character.
> >
> > AaBbCcDd1234)(*&
> >
> > <sigh>
> >
> > Randy Marchany
> > VA Tech IT Security Office


--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg