SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones.
The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords —added in its 2017 edition.
The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches.
If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.
What researchers from the Asia Pacific College (APC) have done was to take their students' email addresses associated with school accounts and check and see if the students' passwords had been leaked in previous breaches, correlating the final results with their GPA (grade point average).
All data such as names and passwords were hashed to protect students' privacy and personal information. Researchers checked students' passwords against a massive list of over 320 million passwords exposed in previous breaches and collected by Australian security researcher Troy Hunt, maintainer of the Have I Been Pwned service.
The results showed similar percentages of students across the GPA spectrum that were using previously exposed passwords —considered weak passwords and a big no-no in NIST's eyes.
Percentages varied from 12.82% to 19.83%, which is an inconclusive result to show a clear differentiation between the password practices of "smarter" kids when compared to the rest.
(Score: 2) by Snotnose on Thursday May 17 2018, @07:05PM (3 children)
When I was a sysadmin (15-20 people on a Linux network some 15 years ago) I ran a password cracker overnight. When a password popped out I sent them an email telling them the password and asking them to change it (under penalty of me changing it for them). There were 2-3 people who's names always popped out, even after I told them I was running this cracker every night.
Did I inform management? Yeah. Did anything get done? Nope. Why? Because my immediate manager was one of those 2-3 people.
Ended up biting them in the ass too. Time came to do a demo for who was to be our biggest customer, they refused to let our box on their network because the default root password was "password", and the marketing droids didn't know how to change it. No network, no demo. Marketing made us change the root password to our company name (not kidding, they were clueless), ignored my advice to have a better password, or at least cApiTaliZe it differently for different customers. No go.
Company went bankrupt before they could get a second chip spin (too bad, it was good tech) and the biggest potential customer bought all the IP out of bankruptcy.
Note 1) The cracker took about a week to complete, I only let it run nights and weekends and automatically restarted when it was done.
Note 2) One of the offenders was a hoot. His passwords were various ways to swear at the world at large, and me in particular. He was a great guy and I hated to see him move away.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by frojack on Thursday May 17 2018, @07:19PM (2 children)
Actually, you are lucky you remained employed there long enough to run the cracker a second time.
What you did was probably a crime, even back then. It would have been a crime in the State I was located in at that time.
That cracker can crack a password does not necessarily make it a bad password, it just means you have too much time at your disposal.
Firing offense at the least.
No, you are mistaken. I've always had this sig.
(Score: 2) by Snotnose on Thursday May 17 2018, @08:25PM (1 child)
First off, I was the sysadmin with responsibility to keep the network running and safe. Second, management knew I was running it.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Friday May 18 2018, @12:02AM
And third, it's only illegal if you gain unauthorized access. Simply cracking a password isn't illegal. Using it without permission is.