Re: Stats re: passwords

["HALL, NATHANIEL D." <halln () OTC EDU>]

> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
> Matthew Gracie
> Sent: Friday, October 16, 2009 12:10 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Stats re: passwords
>
> Matthew Wollenweber wrote:
> > Generally speaking, most brute force programs, dictionaries, and
> > cracking software are well suited to the rules Randy cited: "a) 8-16
> > characters b) upper/lower case c)at least 1 numeric d) at least 1
> > special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are
> > very common examples of how most people tend to cluster "complex"
> > rules into easily guessable permutations. I tend use truly random
> > passwords from a generator or those similar in style to what Don
> > mentioned.
> >
> > -Matt
>
> Occasional brute force audits aren't a bad thing. If you're using LDAP
> central auth, just take a dump from it and run John against it for a
> weekend. You'll be amazed how many cracks you get, even with the default
> dictionaries.
>
> I do this every month or so and sent out "you've got a weak password!"
> emails to everyone that gets cracked. And I'm so proud when they call me
> to confirm that I really sent the message. :)
>
> --Matt

I have done this for my organization and I must say that John on a PS3 works SO much better than a standard system.  
There don't even have to be customizations.  My PS3 cracked the same passwords in less than an hour compared to 12 
hours on a server.


--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535