[unisog] password complexity -- an idea (thoughts?)
michael.holstein at csuohio.edu
Fri Feb 25 15:37:33 GMT 2005
using cron (or the windows equiv), run the hashes through a fairly
sparse ruleset of 'john' with a large wordlist, enabling common
substitutions (eg '1' for letter 'I' or 'i' or 'L' or 'l', etc.).
Anything that hits, set the password-expiration date on that account to
This would seem to address the issue of passwords which pass muster with
'passfilt.dll' (windows) or the various mechanisms in PAM -- but which
are still not hard to 'guess' with a cracker.
Users that keep choosing easy passwords would have to change them every
day -- eventually annoying them to the point they'd pick something more
Of course, you'd still have to outlaw post-its ... eg:
"try and make something idoit-proof and nature will provide you with a
better idoit" (reverse interpretation of Darwin's law).
Michael Holstein CISSP GCIA
Cleveland State University
PS : this all overlooks one obvious fact : by the time someone has a
copy of /etc/shadow or your SAM database, they've already got keys to
the kingdom anyway. If I've got your BDC's hard disk mounted under my
knoppix CD then it's all over -- likewise for pwdump3 over the network.
More information about the unisog