Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: Patrick P Murphy <pmurphy () NRAO EDU>
Date: Fri, 16 Oct 2009 13:31:01 -0400
On Fri, 16 Oct 2009 13:09:55 -0400, Matthew Gracie <graciem () CANISIUS EDU> said:
Occasional brute force audits aren't a bad thing. If you're using LDAP central auth, just take a dump from it and run John against it for a weekend. You'll be amazed how many cracks you get, even with the default dictionaries.
I do this every month or so and sent out "you've got a weak password!"
We do the same sort of thing though more freqently (approximately bi-weekly). We think on balance that it's a more effective alternative than requiring routine (yearly, 6-monthly) password changes. I also try to remind our users to think of it as a pass phrase, not a word. - Pat -- Patrick P. Murphy, Ph.D. Webmaster (East), Computing Security Manager http://www.nrao.edu/~pmurphy/ http://chien-noir.com/maze.shtml "Inventions then cannot, in nature, be a subject of property." -- Thomas Jefferson, August 13, 1813
Current thread:
- Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)