Sunday, October 10, 1993

give us all your passwords Last week, many of us at the company where I work were astonished to receive an e-mail message from our parent company's legal department asking everyone to send them all the passwords everyone had used on our LAN servers since January, 1991, except for current passwords. Fortunately, it was shortly revealed that this did not apply to our division, but not before I had sent back a reply telling the person in the legal department how dangerous I thought this was. Later we found out at a company meeting that another division in our family of companies is being sued because of some possibly suspicious stock trading, and our legal department wants to make sure that it can get at any records on their network servers. I, of course, suspect that they are being spectacularly ignorant of how little use the password lists would be to them and the security risks involved with having lists of individual passwords laying around in plaintext form. Even though none of the passwords should be current, my experience suggests that many people stick to certain themes and patterns for passwords, especially when password aging is used, as it is on our servers. Our passwords expire every 40 days, which means that everyone working at our company since January 1991 has gone through 25 passwords by now, giving any crackers a sizable database to extrapolate from. And of course, everyone will probably send their password lists by e-mail, giving crackers an easy opportunity to intercept such lists. [stevev@miser.uoregon.edu (Steve VanDevender) via risks-digest Volume 15, Issue 11] 7:59 # G!