Educause Security Discussion mailing list archives

Re: Stats re: passwords

From: Patrick P Murphy <pmurphy () NRAO EDU>
Date: Fri, 16 Oct 2009 13:31:01 -0400

On Fri, 16 Oct 2009 13:09:55 -0400, Matthew Gracie
   <graciem () CANISIUS EDU> said:

Occasional brute force audits aren't a bad thing. If you're using LDAP
central auth, just take a dump from it and run John against it for a
weekend. You'll be amazed how many cracks you get, even with the
default dictionaries.

I do this every month or so and sent out "you've got a weak password!"


We do the same sort of thing though more freqently (approximately
bi-weekly).  We think on balance that it's a more effective alternative
than requiring routine (yearly, 6-monthly) password changes.

I also try to remind our users to think of it as a pass phrase, not a
word.

 - Pat

--
 Patrick P. Murphy, Ph.D.   Webmaster (East), Computing Security Manager
 http://www.nrao.edu/~pmurphy/          http://chien-noir.com/maze.shtml
 "Inventions then cannot, in nature, be a subject of property."
                                    -- Thomas Jefferson, August 13, 1813

Current thread:

Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)