[unisog] Password auditing

Peter Van Epp vanepp at sfu.ca
Fri Jul 1 04:54:32 GMT 2005

On Fri, Jul 01, 2005 at 01:27:17PM +1200, Russell Fulton wrote:
> First off, thanks to those who responded to my post on ssl and mysql.  I'm now investigating the native support in 4.0x
> This time I have an idea for automated auditing of UNIX password (it may be extended to windows, I don't know).   Firstly I'd like to know if any of you can shoot holes in the proposal before I spend time implementing it and secondly I'd love to know of someone has already done this or someting that achieves the same end.

	We tend to attack this problem from the other end (but may be more 
centralized than you can be). We have a home grown account management system
that pushes the passwords to both LDAP and AD. Password changes take place in
the master database (after being run through cracklib, which I don't think
is set tough enough and our user support folks think is facist, overly paranoid.
unneccessary and a variety of less printable things). I've been told that 
somewhere around 6 tries is the average to get an acceptable password which 
common wisdom is then gets written on a yellow sticky. 
	Since the password change mechanism has the unencrypted password when 
it does the cracklib check it is much more efficient than attempting to crack
encrypted passwords later. The down side of course is that it doesn't help 
machines that we don't own / authenticate, nor will it find bad passwords in 
routers etc, but if you can arrange it, it seems to work well (and of course
a no longer functioning network port catches the attention of the careless in
the case of machines we don't own ...)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list