Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Education End Users about Passwords
From: "J. Oquendo" <sil () politrix org>
Date: Tue, 9 Dec 2003 14:55:54 -0500 (EST)


1. Pick a sentence that has meaning for you and that you will remember.
       i.e. I work at cox today.
2. All consonants (or all vowels) become UPPERCASE characters.
3. All vowels (or all consonants as it is the opposite of rule 2) become
lower case characters.
4. Words like to and for become numbers.
5. Words like at and "and" become symbols (@ and &)
6. Add some character to the end like ! or #

Agreed to a certain extent. Consider the following however; Cracker is on
a machine that he needs some serious information say for corporate
esionage purposes, and the information is vital to him. What makes you
think an experienced cracker wouldn't have the correct type of dictionary
file? It's as simple as sed 's/a/4/g;s/A/4/g;s/e/3/g;s/E/3/g' and so
forth.

Substitutions? sed s'/i/\!/g', 's/^/./g', 's/$/./g' and so on.


Once they get this simple thing down, getting them to choose "strong"
passwords becomes infinitely easier, because they now have a mnemonic
device
to recall the password - the primary end user complaint about using
"strong"
passwords.  If they can remember it, they are also a lot less likely to
use
the nefarious sticky note.  Then all you have to worry about is making
sure
that they know not to give it out over the phone, which frankly, is the
easiest method of "cracking" a password.

2 cents,

Jimi

Disagree, most people stick with familiarity (cognitive dissonance) and
you can try to explain the situation a million times over but the sad fact
is most people will stick to their guns. What can you do as an admin/sec
engineer? One thing that I think corps. should do is, create some form of
quarterly meeting with their employees to explain security issues, e.g.;

Post it notes
Bad passwords
Not locking out their machines
Paper based nightmares (using shredders)

etc.

Too much I could add and work calls.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"I watch gangster flicks and root for the bad guy
and turn it off before it ends because the bad guy dies"
50 Cents -  'Assassins'

This is a farce confidential disclaimer intended to make you
aware that even though this may be priveledged information,
being it will become Google cache in the future, my original
intentions of keeping this message restricted and/or private
are thrown out the door. If you have received this e-mail in
error, please enjoy this signature and destroy this message
by dousing it in gasoline.



---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]