Doing a little bit
of work related reading today and learned a few things about passwords based on
a 2013 Derbycon presentation:
Password rotation
introduces password vulnerabilities (I actually already knew this and have
complained about it at various jobs but what can you do)
*Users will invent
ways to remember their password
**90 day rotation -
seasonal password
**30 day rotation -
month based
***Users will use
the same root word for future passwords and only change numbers and special
characters
Keyboard Patterns,
i.e. qwe123, easily defeated by Hashcat
Special rules
required?
*There is an order
to which characters, numbers, special characters people will use
*There is an order
to where they will place specific characters
**These patterns are
universal
***Exclamation point
is the most commonly used special character
***Capital letters
are almost always the first letter in a password
***If the rules
require a special character and a digit the special character and the digit
will be at the end.
Simple stuff but
with the tools and hardware available now it makes it almost trivial to
compromise a password.
(Note: I am claiming no special expertise in password cracking just remarking on what I was reading and viewing)
No comments:
Post a Comment