Educause Security Discussion mailing list archives
Re: Stats re: passwords
From: Matthew Wollenweber <mwollenw () GWU EDU>
Date: Fri, 16 Oct 2009 14:56:34 -0400
NVIDIA/CUDA accelerated cracking is likewise impressive. I can't recall if PS3 or CUDA has the edge on performance, but a PS3 in the office for cracking and "other duties as assigned" seems like a better deal. On Fri, Oct 16, 2009 at 1:52 PM, HALL, NATHANIEL D. <halln () otc edu> wrote:
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Gracie Sent: Friday, October 16, 2009 12:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Stats re: passwords Matthew Wollenweber wrote:Generally speaking, most brute force programs, dictionaries, and cracking software are well suited to the rules Randy cited: "a) 8-16 characters b) upper/lower case c)at least 1 numeric d) at least 1 special character." Notably, Pa$$w0rd, Passw0rd!, and P@ssword1 are very common examples of how most people tend to cluster "complex" rules into easily guessable permutations. I tend use truly random passwords from a generator or those similar in style to what Don mentioned. -MattOccasional brute force audits aren't a bad thing. If you're using LDAP central auth, just take a dump from it and run John against it for a weekend. You'll be amazed how many cracks you get, even with the default dictionaries. I do this every month or so and sent out "you've got a weak password!" emails to everyone that gets cracked. And I'm so proud when they call me to confirm that I really sent the message. :) --MattI have done this for my organization and I must say that John on a PS3 works SO much better than a standard system. There don't even have to be customizations. My PS3 cracked the same passwords in less than an hour compared to 12 hours on a server. -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking Office: (417) 447-7535
-- Matthew Wollenweber mjw () cyberwart com 240-753-0281
Current thread:
- Stats re: passwords Allison Dolan (Oct 16)
- <Possible follow-ups>
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Don M. Blumenthal (Oct 16)
- Re: Stats re: passwords Chris Kidd (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Matthew Gracie (Oct 16)
- Re: Stats re: passwords Ken Connelly (Oct 16)
- Re: Stats re: passwords Patrick P Murphy (Oct 16)
- Re: Stats re: passwords HALL, NATHANIEL D. (Oct 16)
- Re: Stats re: passwords Matthew Wollenweber (Oct 16)
- Re: Stats re: passwords Willis Marti (Oct 16)
- Re: Stats re: passwords Valdis Kletnieks (Oct 16)
- Re: Stats re: passwords Wayne Samardzich (Oct 16)
- Re: Stats re: passwords randy marchany (Oct 16)
- Re: Stats re: passwords Brent Sweeny (Oct 16)
- Re: Stats re: passwords John Lupton (Oct 19)