[Sussex] Password totals

Mark Harrison Mark at ascentium.co.uk
Fri Mar 12 11:21:32 UTC 2004


When I was at Bovis, we dumped out the password list, and ran a
dictionary-based scan on it (on the basis that we knew the usernames
already.)

Of the 700 staff on that site, we cracked the passwords for just over
half...

Of course, the fact that we were already admins gave us the ability to
extract out the password list (albeit encrypted) which got around the "2
second pause per attempt" problem.


Even more scarey, my mother was able to GUESS the passwords for about a
third of her team a year or so ago. This was on the basis of knowing the
favourite sport, and the car that each of them had :-)

M.


----- Original Message ----- 
From: "Geoff Teale" <gteale at cmedltd.com>
To: "LUG email list for the Sussex Counties" <sussex at mailman.lug.org.uk>
Sent: Thursday, March 11, 2004 2:19 PM
Subject: RE: [Sussex] Password totals


> On Thu, 2004-03-11 at 14:00 +0000, Gareth Ablett wrote:
> > Damn and I was going to write a quick script to show how it would be
> > done I still could and might I could do it in C as well maybe.
>
> It's faster still to use a previously generated list that's been sorted
> for commonly used combinations.  Usually though the speed limiting
> factor is defined by an arbitrary pause in the system requesting the
> password following a failed attempt.  Better still some systems lock
> down an account after a set number of failed attempts.
>
> In short - passwords are weak security, but automated attacks are rare -
> it's far more likely that users pick an obvious password of give it away
> to anyone who says that they're a sys-admin.  For this reason the
> theoretical multiplier of obscurity (i.e. the number of combinations) is
> hardly ever a factor in whether a system is cracked or not.





More information about the Sussex mailing list