Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WinNT and previously used passwords

From: Kevin Finisterre <dotslash () snosoft com>
Date: Sat, 25 May 2002 05:51:50 -0700
My interest here was only in "human nature"... I read an article recently about how people choose their passwords and this seemed to fit in with the reading. The article talked about how some people will simply look around the room and pick a random object and then maybe append the current time and viola they have their new password. Another common method was to put your own self image into a single word. What you end up with are people that use passwords like "bluecup1231" or "iamagod" or something along those lines.
My thought was yes at one time I have may have had access to the registry or the SAM (one in the same aparantly) but I may not have this access for ever. If I cracked your current password it may only be valid for a finite amount of time. If on the other hand I cracked your last 10 passwords then I now know a little something about you and possibly a little about your personality. I just may notice that 4 weeks in a row you choose passwords related to items on your window sil in your office... last week it was "greenCup" the week before it was "redPencil". If I no longer have access to the SAM file I am now one up on doing a simple brute force attack. When I look on your window sil I notice the only item left is a "purpleFlower" ... whats the likely hood that that will be next weeks password? 
-KF


On Friday, May 24, 2002, at 09:13 PM, Jesper M. Johansson wrote:

 Generally speaking, I would be more
interested in cracking your current password than 10 of your old ones,
considering that the current one has a better chance of still being
valid by the time I crack it. Presumably, if your new password is based
on your old one, I would probably be able to crack the new one just as
easily as the old one, and it allows me to do so using 1/11th the amount
of work, assuming you are storing 10 passwords.

Now, this might be interesting to do if your objective, as a white-hat
administrator, is to catch people who reuse passwords. However, my
experience is that most people would get more mileage out of teaching
people to use good current passwords instead of cracking old ones.
Better yet, implement smart card logon and get rid of passwords
altogether.
Previous By Date Next
Previous By Thread Next

Current thread: