From: Mike Lyman (mikelyman-securitycomcast.net)
Date: Fri Aug 27 2004 - 23:12:11 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Scott Weeks wrote:
>
> Are you sure they didn't crack the passwords? Do you have 'strong'
> passwords on the machines?

Don't forget derived/incremented passwords. Users who have passwords
cracked and then go on to continue to use the series will cause you
problems. BigDog1, BigDog2, BigDog3, BigDogX is fairly guessable and I
know from experience they will cause you problems even if they are
otherwise "strong."

On Windows you can implement a custom passflt.dll that will check for
these. Look for numbers, replace them with 0-9 and hash and compare with
the password history. If you have a match, you've got a password
incrementer.

(Sorry but I didn't code the passflt.dll we used that did that but from
what I've seen of the documentation on Microsoft's site on passflt.dll,
it should be repeatable. While you are at it, throw in a small
dictionary check for common words.)

--
Mike Lyman, CISSP
mikelyman-securitycomcast.net

"You can't take the sky from me"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]