[unisog] password complexity -- an idea (thoughts?)

Michael Holstein michael.holstein at csuohio.edu
Fri Feb 25 15:37:33 GMT 2005


using cron (or the windows equiv), run the hashes through a fairly 
sparse ruleset of 'john' with a large wordlist, enabling common 
substitutions (eg '1' for letter 'I' or 'i' or 'L' or 'l', etc.). 
Anything that hits, set the password-expiration date on that account to 
today.

This would seem to address the issue of passwords which pass muster with 
'passfilt.dll' (windows) or the various mechanisms in PAM -- but which 
are still not hard to 'guess' with a cracker.

Users that keep choosing easy passwords would have to change them every 
day -- eventually annoying them to the point they'd pick something more 
secure.

Of course, you'd still have to outlaw post-its ... eg:

"try and make something idoit-proof and nature will provide you with a 
better idoit" (reverse interpretation of Darwin's law).

Michael Holstein CISSP GCIA
Cleveland State University

PS : this all overlooks one obvious fact : by the time someone has a 
copy of /etc/shadow or your SAM database, they've already got keys to 
the kingdom anyway. If I've got your BDC's hard disk mounted under my 
knoppix CD then it's all over -- likewise for pwdump3 over the network.



More information about the unisog mailing list