Hey guys, a mate of mine just received this email from his work:

This weekend, we will be conducting a password audit on your **********, *******, ******* passwords in order to test the strength of the passwords used in the school. The password auditing tool we use makes more than two million attempts per second to crack your password. If your password is (easily) cracked, you will be confidentially notified.


This sounds pretty fishy to me... All the password accounts they'll try are work related so I know they 'own' the service, but this just feels... wrong... is it allowed?

I believe so. One of the lawyer types here can confirm, but I'm pretty sure there have been a few case judgments in the last few years that dictate that nothing on a work pc is private. Passwords would be no different.

Passwords wouldn't usually be stored on a work pc anyway, so they're auditing the servers for whichever applications they're talking about.

ooo I was close ... add what DT said to my comment :D

Besides which, it's not like the administrators would actually need to brute force the passwords in order to gain access to the staff members' data anyway.

Besides which, it's not like the administrators would actually need to brute force the passwords in order to gain access to the staff members' data anyway.

exactly

to put it simply, it just sounds like this I.T department has way too fucking much time on it's hands

Allowed? I think it should be encouraged. Any Network/Security admin worth their salt should be doing that anyway. I'm impressed they emailed you about it ...

How about they enforce a policy of password complexity and force everyone to change their passwords? Without having the system enforce password complexity rules, the IT dept will need to run this audit all the time. They are creating more work for themselves!

Then they could email out the users telling them the reasons behind the new password policy. Problem solved, permanently. It'll also show the user base that the IT dept are looking after their best interests. Cracking passwords and letting people know is the WRONG approach.

Too many cowboys, not enough professionals. Email them back with the above :)

How about they enforce a policy of password complexity and force everyone to change their passwords? Without having the system enforce password complexity rules, the IT dept will need to run this audit all the time.

This was the first thing I thought of. It's changing three settings in Group Policy, ffs.

How about they enforce a policy of password complexity and force everyone to change their passwords? Without having the system enforce password complexity rules, the IT dept will need to run this audit all the time. They are creating more work for themselves!

Then they could email out the users telling them the reasons behind the new password policy. Problem solved, permanently. It'll also show the user base that the IT dept are looking after their best interests. Cracking passwords and letting people know is the WRONG approach.

Too many cowboys, not enough professionals. Email them back with the above :)

Yeah that would work. No really. Too bad users write their passwords done, or still make them relatively simple like the name of their dog, or partner followed by a birthdate or whatever. Complex passwords do not solve that problem at all.

User training is much better than implementing policies on passwords. User training plus open dialogue with their network admins = :light:

User training

... should always involve a stick.

Yeah that would work. No really. Too bad users write their passwords done, or still make them relatively simple like the name of their dog, or partner followed by a birthdate or whatever. Complex passwords do not solve that problem at all.

User training is much better than implementing policies on passwords. User training plus open dialogue with their network admins = :light:

Post-it noted passwords or not, I've commented on the issue at hand. In the given the scenario, I believe the admins are overlording their user base by brute forcing their passwords. Guaranteeing system passwords meet complexity requirements is a minor admin task. Scheduling user training can be a massive task... not to mention still having to check users are getting the message by brute forcing the passwords.

Put the machines to work, not the IT staff, they've got forums to post on! :)

edit:
Oh.. and NOBODY wants an open dialogue with the IT dept, they just want to get their work done.
<offtopic> that just reminded me of a quote on a cycling forum I use... "I want a relationship with my wife, not with the owner of the local bike store". This was in regard to rider sponsorship in club cycling etc... anyways.. </offtopic>

access to data isn't what I feel a little uneasy for him about, its more that most people, even those who have complex passwords like "Aasd7AS8790" use one or two passwords for many different sites/services.

True the admin staff can jump on and see all their work related stuff on the server, big deal. Its that they'll know a heap of passwords, which to my understanding is encrypted when stored?

access to data isn't what I feel a little uneasy for him about, its more that most people, even those who have complex passwords like "Aasd7AS8790" use one or two passwords for many different sites/services.


IMO, treat work machines like public terminals - SSH into home to do anything personal.

People get up in arms about Google owning their data by never deleting emails and indexing their searches.. but these people need to be more worried about the corporate email spying in their own workplace. You'd be amazed at the amount of people who use their work email address for Seek.. and you would be amazed at the amount of managers who want to know this information...*

*all purely from my own experiences.. others mileage may vary.

Also amusing to see people using Google Desktop/Toolbar whatever to archive/index/whatever their work documents...

Post-it noted passwords or not, I've commented on the issue at hand. In the given the scenario, I believe the admins are overlording their user base by brute forcing their passwords. Guaranteeing system passwords meet complexity requirements is a minor admin task. Scheduling user training can be a massive task... not to mention still having to check users are getting the message by brute forcing the passwords.

Put the machines to work, not the IT staff, they've got forums to post on! :)

edit:
Oh.. and NOBODY wants an open dialogue with the IT dept, they just want to get their work done.
<offtopic> that just reminded me of a quote on a cycling forum I use... "I want a relationship with my wife, not with the owner of the local bike store". This was in regard to rider sponsorship in club cycling etc... anyways.. </offtopic>

LOL. I agree. The world would be a better place without end users

access to data isn't what I feel a little uneasy for him about, its more that most people, even those who have complex passwords like "Aasd7AS8790" use one or two passwords for many different sites/services.

Yeah. Ideally you'll use different passwords everywhere. If you're not going to (and most don't) you should really keep work and everything else separate.

If this sort of exercise scares users into using a different password, that sounds like a useful side effect. Because the password sharing thing goes both ways - a workplace really doesn't want www.dodgyforums.com.au to know the password that you also use to get to your workplace's webmail.

True the admin staff can jump on and see all their work related stuff on the server, big deal. Its that they'll know a heap of passwords, which to my understanding is encrypted when stored?

Usually one way hashed - you can go from the password to the hash trivially, but not the other way around. Brute forcing literally tries hashing millions of passwords until they get a hash that matches the one that's stored.

You'd be amazed at the amount of people who use their work email address for Seek.. and you would be amazed at the amount of managers who want to know this information...*


I subscribe to seek on my work account, and I HOPE my boss knows.

Usually one way hashed - you can go from the password to the hash trivially, but not the other way around. Brute forcing literally tries hashing millions of passwords until they get a hash that matches the one that's stored.


For best results, calculate the hashes on all dictionary words and strings to length N (where N is the average number of characters a user can remember, say 9ish) and store on cd. Load hashes into hashtable, cracking short or dictionary passwords is now trivial.

This is an awesome demonstration to use when selling security products to windows admins without much clue.

For best results, calculate the hashes on all dictionary words and strings to length N (where N is the average number of characters a user can remember, say 9ish) and store on cd. Load hashes into hashtable, cracking short or dictionary passwords is now trivial.

This is an awesome demonstration to use when selling security products to windows admins without much clue.

salt?