[Klug-general] Passwords
Julia Freeman
klug at quixotic.org.uk
Mon Sep 5 09:42:11 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Sep 05, 2011 at 10:33:26AM +0100, David Halliday wrote:
> One thought. If security is a concern this is potentially dangerous. A
> common way to exploit authentication on windows AD networks is that the
> client computer remember the last
> 10 user-names/passwords successfully authenticated. This is useful to
> authenticate people when network availability is unreliable. However if you
> are in a public environment or there is a chance that someone might be
> interested in exploiting the network then having physical access to a
> machine which stores user-names/passwords is a big
> security vulnerability, especially if a network admin was one of the last 10
> people to access that machine. This is a very common mechanism used to
> exploit MS based networks.
>
> From a security mindset, once a person has physical access to a machine that
> machine is easily compromised (and anything on it can and will be used
> against you). One live CD, FTP location to copy the shadow file to, jack the
> ripper (and time & CPU cycles) and you are open wide.
>
Increasingly these days you can actually crack a password quicker by just
googling the hash from the shadow file...
It's kinda worrying...
J
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFOZJlx42M0lILkmGIRAhm5AJ90Ecam8fu/4ywhwJ4BOlVKCdczjwCgrgRZ
klM5KAkF2aCutqQ4DVblvZE=
=XVZK
-----END PGP SIGNATURE-----
More information about the Kent
mailing list