[colug-432] password survey

[Angelo McComis]

I'm not saying you're wrong here, but it's entirely possible that they did have one way hash and strong encryption but used a simple brute force tool (aka John the Ripper) across the password file and it was able to solve that because it has (depending on how you look at it), simple pattern of letters only (upper and lower, but no symbols or numeric), and was only based on dictionary words. 

Aside from that, yes - it's a valid point you being up here. 

> On May 22, 2014, at 9:37 PM, Richard Hornsby <richardjhornsby at gmail.com> wrote:
> 
> 
>> On May 22, 2014, at 17:26 , Judd Montgomery <judd at jpilot.org> wrote:
>> 
>> A friend just sent me something a little silly on this topic that I 
>> figured I'd share.
>> 
>> During a recent password audit by a company, it was found that an 
>> employee was using the following password: 
>> "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento"  When asked why 
>> she had such a long password, she rolled her eyes and said: "Hello!  It 
>> has to be at least 8 characters and include at least one capital.”
> 
> I realize that this is a little tongue-in-cheek and that my response is not ...
> 
> A valid retort might be: "Instead of asking me why my password is so long, let me ask you what encryption method are you using that you’re able to read out everyone’s password like that?”  Pushing further, "Do you understand the risk to our company (and likely our customers) if a bad guy gets into our stuff, because you have passwords stored in a reversible, or worse, plaintext format?”  And poking them just a little more for good measure, "Do you, mr security person giving me grief about my insanely long password, not understand what a one-way hash is?"
> 
> Sorry, I get annoyed by foolish waste of energy in this space that seems entirely directed at the wrong problem.
> 
> 
> 
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432