Re: Leaks

From: Damian Menscher (menscher+security@uiuc.edu)
Date: 07/04/02

Next message: John Bowden: "win98 desktop & IE security"
Previous message: Steve Sprague: "Re: insider threat"
In reply to: chris@nospam.com: "Re: Leaks"
Next in thread: Kendal Emery: "Re: Leaks"
Reply: Kendal Emery: "Re: Leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Damian Menscher <menscher+security@uiuc.edu>
Date: Thu, 04 Jul 2002 16:42:07 GMT

chris@nospam.com wrote:
> On Tue, 02 Jul 2002 00:39:32 GMT, alun@texis.com (Alun Jones) wrote:
>>In article <afo7ee$r78$1@slb7.atl.mindspring.net>, my_email@my_domain_here.com
>>(Pedro Hin) wrote:
>>>There should be no need for anyone to EVER have your password. There are PC
>>>migration tools out there which will allow the PC tech to do whatever needs to
>>>be done without actualy acquiring access to the user's data or accounts.
>>
>>Except for the situation where you're converting accounts from tool/system A
>>to tool/system B, and the two tools/systems use incompatible hash methods.

> I've solved this problem with Lophtcrack. It took a week to crack all
> the passwords, but then it was an easy matter to set all of the
> passwords on the new setup. Scary part is that about 1/3 of the
> passwords were cracked in an hour.

I don't think I'd be so proud about having uneducated users....

Why don't you do your job and teach them to select passwords you
can't crack?

FWIW, I regularly try to crack my users' passwords. Any accounts I
crack are locked until I can remind the user about how to pick a
good password. I only had one complaint from a user who thought
this was an invasion of privacy. ;)

Damian Menscher

-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 1429 DCL, Workstation Services Group, CITES Ofc:(217)244-3862 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-

Next message: John Bowden: "win98 desktop & IE security"
Previous message: Steve Sprague: "Re: insider threat"
In reply to: chris@nospam.com: "Re: Leaks"
Next in thread: Kendal Emery: "Re: Leaks"
Reply: Kendal Emery: "Re: Leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Is it possible to generate a report with all the usernames and passwords in an AD?
... You can NOT create a list with passwords from the user accounts. ... For migration from the domains have a look at ADMT v3. ... into one exchange server farm. ...
(microsoft.public.windows.server.active_directory)
Re: hardware vs. john the ripper
... and how your cracking process is structured to address those ... (Some of the add-on modules to john can be ... Crack all the simple ones quickly? ... And what passwords are ...
(Pen-Test)
Re: yet another fake exploit making rounds
... > and let them spin there wheels trying to crack the passwords. ...
(Vuln-Dev)
Re: Is WPA-PSK + TKIP really that easily breakable? I dont think so.
... Tom's hardware about how to crack it but I am not particularly confident its *that* insecure if you configure other options and use very long complex passwords. ... Of course intend to go 802.1x when available but this is my current ... But with choice of a good pre-shared key and keeping it a secret should be very secure. ...
(alt.internet.wireless)
Re: help: security newbie
... > a) Make sure that all the accounts on the machine have good pass words. ... and use it to try to crack the passwords.. ... because they didnt change the password within 48 hours after being ...
(Fedora)