Vulnerability Development mailing list archives
Re: WinNT and previously used passwords
From: Kevin Finisterre <dotslash () snosoft com>
Date: Sat, 25 May 2002 05:51:50 -0700
My interest here was only in "human nature"... I read an article recently about how people choose their passwords and this seemed to fit in with the reading. The article talked about how some people will simply look around the room and pick a random object and then maybe append the current time and viola they have their new password. Another common method was to put your own self image into a single word. What you end up with are people that use passwords like "bluecup1231" or "iamagod" or something along those lines.
My thought was yes at one time I have may have had access to the registry or the SAM (one in the same aparantly) but I may not have this access for ever. If I cracked your current password it may only be valid for a finite amount of time. If on the other hand I cracked your last 10 passwords then I now know a little something about you and possibly a little about your personality. I just may notice that 4 weeks in a row you choose passwords related to items on your window sil in your office... last week it was "greenCup" the week before it was "redPencil". If I no longer have access to the SAM file I am now one up on doing a simple brute force attack. When I look on your window sil I notice the only item left is a "purpleFlower" ... whats the likely hood that that will be next weeks password?
-KF On Friday, May 24, 2002, at 09:13 PM, Jesper M. Johansson wrote:
Generally speaking, I would be more interested in cracking your current password than 10 of your old ones, considering that the current one has a better chance of still being valid by the time I crack it. Presumably, if your new password is based on your old one, I would probably be able to crack the new one just as easily as the old one, and it allows me to do so using 1/11th the amount of work, assuming you are storing 10 passwords. Now, this might be interesting to do if your objective, as a white-hat administrator, is to catch people who reuse passwords. However, my experience is that most people would get more mileage out of teaching people to use good current passwords instead of cracking old ones. Better yet, implement smart card logon and get rid of passwords altogether.
Current thread:
- WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
- Re: WinNT and previously used passwords Kevin Finisterre (May 25)
- Re: WinNT and previously used passwords Roland Postle (May 26)
- RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)