From: Nick Duda (nduda@VistaPrint.com)
Date: Wed Aug 31 2005 - 07:21:55 EDT
I agree...having access to pas passwords is a big gain. Consider the
following, an employee uses the following password scheme, Password1,
Password2, Password3, Password4 and the current password is Password5.
I'll bet you I know what the next password will be.
- Nick
-----Original Message-----
From: Wil.Allsopp@ins.com [mailto:Wil.Allsopp@ins.com]
Sent: Tuesday, August 30, 2005 4:59 PM
To: pen-test@securityfocus.com
Subject: RE: Where are Windows "Enforce password history" passwords
stored?
James Leighe [jamesleighe@gmail.com] wrote:
>It's stored as a hash, so if you find out how to access them, you
>would have to crack it. So basically, it's not worth the time when an
>attacker could just go for the current password.
This shows a fundamental misunderstanding of security as well as the way
hackers think. There are many advantages for an attacker to have your
previous passwords - passwords are reused and some may be current on
peripheral or entirely separate systems.
Wil
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT