another example of lazy/stupid admins

recently while doing a security audit on my tafe (with full authorisation) i came accross 3 admin accounts that i managed to crack in under 1 second without resorting to a brute force attack. now this wouldnt be so bad if you could blame it on ignorance, however there is a 1 page document given to all students wishing to logon to a tafe computer specifically stating that all passwords should be at least 6 chars long, dont use dictionary words, etc. id like to say i cant believe this but sadly i can. thats all i have to rant about if anyone has any similar stories please post them here cos im interested.

i don't know what sort of environment (network os, etc.) that you work in, but active directory allows you to enforce complex passwords. i'm sure that other alternatives do as well. why not just do that?
i started at my company about seven months ago and have been pushing complex passwords, expiration for passwords, etc. since i've started. the nature of our business alone would require a huge deal of security, but i think that what i'm getting at is that you're always going to run into resistant humans regardless of where you are. some people aren't going to find security as important as you or i because they don't understand why it's necessary. it's the job of a good admin to explain the reasoning behind it all so that the point can be made.
elderly (70 plus) partners, vp's, executives are exempt from this of course:)

Quote:

---

Originally posted here by Shyft
recently while doing a security audit on my tafe (with full authorisation) i came accross 3 admin accounts that i managed to crack in under 1 second without resorting to a brute force attack. now this wouldnt be so bad if you could blame it on ignorance, however there is a 1 page document given to all students wishing to logon to a tafe computer specifically stating that all passwords should be at least 6 chars long, dont use dictionary words, etc. id like to say i cant believe this but sadly i can. thats all i have to rant about if anyone has any similar stories please post them here cos im interested.

---

Just because a document says something doesn't necessarily mean that people will follow it. That's where physical enforcement can be handy. IIRC you stated elsewhere that this is a Novell environment (5 or 6?). There is no reason why the system cannot a) enforce password length (should be longer than 8-10 at this point in computing abilities) b) enforce complexity. It's easy to get a 6 letter password and still have a simple and brute-forcable password.

One of the issues that I find (and this seems to be mirrored somewhat by what you are experiencing) is that admins seem to think that their accounts are exempted from the security policy. In fact, if anything, they should have stronger requirements since the final goal of any "attacker" is to get "r00t". You might want to suggest that as part of your audit but put it in more eloquant words than ranting. :D Perhaps suggest that a smart card system combined with password might be worthwhile (or some other strong password combinations rather than password solely)

well these r some admins but some like mine in college r son of a bitch ! they use win 2003 servers man is that hard to crack ,they prevent downloads , messengers chatting and mor importantly ****
____________________________
get fast get furious!!!!!!!

tejaswyappalla, no offence but maybe your admins/sysadmins dont want people ****ing around with there lines :) there the provider listen to there terms.

Even if you do require a 6 letter password it still might be cracked in seconds. I have to fight with our users so that they do not use mypass as a password or other easy passwords.

You got to know one thing most people dont need good passwords, most of them rely on programs such as anti-freeze, and centurion to keep them from mischevious people :). also some companies dont even care anyway

what OS the admin use ?, anyone know about websites that focus on windows 2003 server security ? thanks in advance

Most people dont care , but you guys have to understand network admins. are kind of like bosses. They want everything done there way but they dont have to follow the same laws. Oh well .

Quote:

---

Originally posted here by ch0c0l4t3
what OS the admin use ?, anyone know about websites that focus on windows 2003 server security ? thanks in advance

---

Try this Google Search as it might help. You might also want to investigate Microsoft's Security site.

For a long time I have worked in development....the other side of the track from infrastructure support (sysadmin)?

As this thread seems to have come to an end, I hope that I might use it for a few personal observations?

It is getting close to Christmas (a major Christian festival, also recognised in Islaam)

SYSADMIN (male of the species)

1. Jack Daniels
2. The McALLAN
3. Laphroaig
4. Talisker
5. Michelob (or similar)

SYSADMIN (female of the species)

1. Joie de Jean Patou
2. Estee Lauder
3. Chanel #9 (not#5.....that is for my age group!)
4. Belgian hand made chocolates
5. A "red car"


You will find strange things happen?............they moved all your rubbish, sorry, I meant "neatly filed documentation", to make room for the 21" monitor............the machine boots slower because it now has to check 512Mb, instead of the standard 128? :cool:

We are all people...........we are IT............we will "hang together, or most assuredly hang separately"

It is the season of goodwill folks.............buy your sysadmin a beer


Just my perverted viewpoint :)

Cheers

Hahahahaha. Quite funny. You could have the require password setting/script. And then everynight when you leave audit their passwords. If it becomes cracked, ask them to change it, if it happens a second time ask, and if it happens a third time, change their password to some obscure password that's 20 chars long. Or have a script that audits, then automatically replaces weak passwords with virgin, strong passwords.