The stored password must be hashed (and preferably salted too) otherwise I would change banks. When you enter your password, that is hashed and compared to the stored hash. If it matches, then you are allowed in.
But yes, they need to capture the hashes somehow, in that situation, either by sniffing or getting access to the database. But once that compromise is done, its usually only a matter of time. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment -----Original Message----- From: "Ben Schorr" <b...@rolandschorr.com> Date: Fri, 12 Aug 2011 09:24:27 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Reply-To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com>Subject: RE: Almost, but not quite OT: Passwords But doesn't that require them to break into the authentication system? When I go to log into my bank it doesn't present me a hashed password - I give it what I think my password is, it checks against its directory and either lets me in or tells me to try again. Or am I missing something? Ben M. Schorr Roland Schorr & Tower www.rolandschorr.com | www.officeforlawyers.com | Twitter: @bschorr From: kz2...@googlemail.com [mailto:kz2...@googlemail.com] Sent: Friday, August 12, 2011 12:19 To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords A good brute force attack doesn't throw passwords out for authentication - just gets the hashed passwords and checks them against hashed values, AFAIK. Therefore account lockouts are not triggered. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ________________________________ From: "Ben Schorr" <b...@rolandschorr.com> Date: Fri, 12 Aug 2011 09:15:39 -1000 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Subject: RE: Almost, but not quite OT: Passwords Length is more important than complexity, no doubt. While it's good to have mixed case and numbers and symbols the fact that you COULD is enough to force any brute force attack to check for it. And, frankly, any system that will allow 1,000 passwords a second to be thrown at it without locking the account or alerting an admin has a serious problem. Ben M. Schorr Roland Schorr & Tower www.rolandschorr.com | www.officeforlawyers.com | Twitter: @bschorr From: andy [mailto:afo...@psu.edu] Sent: Friday, August 12, 2011 12:00 To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords huh.. just tried something similar to one of my passwords, all lowercase, all letters, of course my real password has a couple of numbers in it. 780 quintillion years 20 character password all lowercase - 97billion years 11character password all lowercase 314 years huh... the password -- 0987654321aaaaaa -1 billion years aaaaaaaaaaaa - 12 years to hack so much for the password rules. then again my password would not work on a unix system. Are unix systems still only 8 characters. it looks like any 8 character password can be hacked in less than a week. At 11:00 AM 8/11/2011, Kennedy, Jim wrote: Good point, I just got phished. From: Gary Slinger [ mailto:gary.slin...@gmail.com <mailto:gary.slin...@gmail.com> ] Sent: Thursday, August 11, 2011 10:57 AM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords It wasn't one of my current 'real' passwords. I'm not putting one of those in on a site I don't know. ________________________________ From: "Kennedy, Jim" <kennedy...@elyriaschools.org> Date: Thu, 11 Aug 2011 10:46:08 -0400 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> ReplyTo: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Subject: RE: Almost, but not quite OT: Passwords Buwhahahah.... 124 thousand years. From: Gary Slinger [ mailto:gary.slin...@gmail.com <mailto:gary.slin...@gmail.com> ] Sent: Thursday, August 11, 2011 10:45 AM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords With one special character, 15 years. Without it, 4 days. Interesting. ________________________________ From: "Martin Blackstone" <mblackst...@gmail.com> Date: Thu, 11 Aug 2011 07:19:59 -0700 To: NT System Admin Issues< ntsysadmin@lyris.sunbelt-software.com <mailto:ntsysadmin@lyris.sunbelt-software.com> > ReplyTo: "NT System Admin Issues" < ntsysadmin@lyris.sunbelt-software.com <mailto:ntsysadmin@lyris.sunbelt-software.com> > Subject: RE: Almost, but not quite OT: Passwords I got one year. From: Shauna Hensala [ mailto:she...@msn.com <mailto:she...@msn.com> ] Sent: Thursday, August 11, 2011 7:16 AM To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords Have your users go here: http://www.howsecureismypassword.net/ and enter their password to see how long it would take to crack. A fun little exercise. Description: Red roseShauna Hensala ________________________________ From: webs...@carlwebster.com To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Almost, but not quite OT: Passwords Date: Thu, 11 Aug 2011 13:43:08 +0000 I changed my bed linens at the beginning of each semester whether they needed changing or not. J Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/> From: Crawford, Scott [ mailto:crawfo...@evangel.edu <mailto:crawfo...@evangel.edu> ] Sent: Thursday, August 11, 2011 8:32 AM To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords nice. Reminds me of an old roommate, "I clean the shower every six months whether it needs it or not." Sent from my Palm Pre on the Now Network from Sprint ________________________________ On Aug 11, 2011 7:42 AM, Webster <webs...@carlwebster.com > wrote: I change my passwords religiously every 7 years. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com <http://www.carlwebster.com/> From: Gasper, Rick [ mailto:rickgas...@kings.edu <mailto:rickgas...@kings.edu> ] Subject: RE: Almost, but not quite OT: Passwords Crap...I now have to change my password again... From: Jon Harris [ mailto:jk.har...@gmail.com <mailto:jk.har...@gmail.com> ] Subject: Re: Almost, but not quite OT: Passwords If the in-house team ever got a round to it both could be kept happy but using something like "Horses like 2 fly, like bugs like to be stepped on!" Complex and easy to remember. How long would that take for a brute force attack or a dictionary attack to get the password? FYI that is NOT one of my passwords! Jon On Wed, Aug 10, 2011 at 6:10 PM, Webster <webs...@carlwebster.com > wrote: Because the security team and or auditor are simply following a check list. Complex passwords required - check. My job is done. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; Content-ID: <image001.gif@01CC5815.E50BB910> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin