Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: another example of lazy/stupid admins

  1. #1

    another example of lazy/stupid admins

    recently while doing a security audit on my tafe (with full authorisation) i came accross 3 admin accounts that i managed to crack in under 1 second without resorting to a brute force attack. now this wouldnt be so bad if you could blame it on ignorance, however there is a 1 page document given to all students wishing to logon to a tafe computer specifically stating that all passwords should be at least 6 chars long, dont use dictionary words, etc. id like to say i cant believe this but sadly i can. thats all i have to rant about if anyone has any similar stories please post them here cos im interested.
    If you can cheat and get away with it you deserve to win

  2. #2
    i don't know what sort of environment (network os, etc.) that you work in, but active directory allows you to enforce complex passwords. i'm sure that other alternatives do as well. why not just do that?
    i started at my company about seven months ago and have been pushing complex passwords, expiration for passwords, etc. since i've started. the nature of our business alone would require a huge deal of security, but i think that what i'm getting at is that you're always going to run into resistant humans regardless of where you are. some people aren't going to find security as important as you or i because they don't understand why it's necessary. it's the job of a good admin to explain the reasoning behind it all so that the point can be made.
    elderly (70 plus) partners, vp's, executives are exempt from this of course

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Re: another example of lazy/stupid admins

    Originally posted here by Shyft
    recently while doing a security audit on my tafe (with full authorisation) i came accross 3 admin accounts that i managed to crack in under 1 second without resorting to a brute force attack. now this wouldnt be so bad if you could blame it on ignorance, however there is a 1 page document given to all students wishing to logon to a tafe computer specifically stating that all passwords should be at least 6 chars long, dont use dictionary words, etc. id like to say i cant believe this but sadly i can. thats all i have to rant about if anyone has any similar stories please post them here cos im interested.
    Just because a document says something doesn't necessarily mean that people will follow it. That's where physical enforcement can be handy. IIRC you stated elsewhere that this is a Novell environment (5 or 6?). There is no reason why the system cannot a) enforce password length (should be longer than 8-10 at this point in computing abilities) b) enforce complexity. It's easy to get a 6 letter password and still have a simple and brute-forcable password.

    One of the issues that I find (and this seems to be mirrored somewhat by what you are experiencing) is that admins seem to think that their accounts are exempted from the security policy. In fact, if anything, they should have stronger requirements since the final goal of any "attacker" is to get "r00t". You might want to suggest that as part of your audit but put it in more eloquant words than ranting. Perhaps suggest that a smart card system combined with password might be worthwhile (or some other strong password combinations rather than password solely)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    well these r some admins but some like mine in college r son of a bitch ! they use win 2003 servers man is that hard to crack ,they prevent downloads , messengers chatting and mor importantly ****
    ____________________________
    get fast get furious!!!!!!!

  5. #5
    Senior Member
    Join Date
    Jun 2003
    Posts
    122
    tejaswyappalla, no offence but maybe your admins/sysadmins dont want people ****ing around with there lines there the provider listen to there terms.
    The internet, not just for stalkers and pervs, but for computer geeks too!

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Even if you do require a 6 letter password it still might be cracked in seconds. I have to fight with our users so that they do not use mypass as a password or other easy passwords.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  7. #7
    Junior Member
    Join Date
    Oct 2002
    Posts
    4
    You got to know one thing most people dont need good passwords, most of them rely on programs such as anti-freeze, and centurion to keep them from mischevious people . also some companies dont even care anyway

  8. #8
    Junior Member
    Join Date
    Aug 2002
    Posts
    24
    what OS the admin use ?, anyone know about websites that focus on windows 2003 server security ? thanks in advance

  9. #9
    Junior Member
    Join Date
    May 2002
    Posts
    19
    Most people dont care , but you guys have to understand network admins. are kind of like bosses. They want everything done there way but they dont have to follow the same laws. Oh well .
    it cant rain every day

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Originally posted here by ch0c0l4t3
    what OS the admin use ?, anyone know about websites that focus on windows 2003 server security ? thanks in advance
    Try this Google Search as it might help. You might also want to investigate Microsoft's Security site.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •