List Info

Thread: Re: Really bad passwords.
Re: Really bad passwords.
country flaguser name
United States		 2008-01-08 21:07:20 
Thanks.  While you are at it my might also check for using
the domain 
name (without the extension) as well.  For example 
fidosomedomain.com with password "somedomain". 
I have a feeling we 
have some of these too and they would be just as easily
cracked.

We DO have the g_create_strict option set.

I set the range from 6 to 24 characters.  BUT when I just
did a test 
setting up an account with the name "info" and
password "info" it 
sailed right through.  Is it possible something is broken
here?

I guess I knew that the test_weak was there even though it
is not 
listed as a command in the tellmail help (maybe an update
needed in the help?)

The results were pretty ugly.  I have to ask what do you
probe for on 
10 tries and 23 tries.  Because a bunch failed at eitehr 10
or 23.

At 01:13 PM 1/8/2008, Support ChrisP wrote:
>Orin Wells wrote:
>>Is there a way to prevent an account from being set
up with the 
>>password defined as the user name?  For example, 
>>fidosomedomain.com with password fido.
>
>No, we will add this to part of the g_create_strict
checking in the 
>next build. If you dont have that setting
>then it would be worth adding it now
>         g_create_strict "true"
>
>In the mean time there is a tool you can use to help
find accounts 
>with bad passwords and it will
>find this type of bad password:
>                 tellmail test_weak
>
>ChrisP.
Re: Really bad passwords.
country flaguser name
New Zealand		 2008-01-09 17:08:50 
Orin Wells wrote:
> Thanks.  While you are at it my might also check for
using the domain 
> name (without the extension) as well.  For example
fidosomedomain.com 
> with password "somedomain".  I have a feeling
we have some of these too 
> and they would be just as easily cracked.
> 
> We DO have the g_create_strict option set.
> 
> I set the range from 6 to 24 characters.  BUT when I
just did a test 
> setting up an account with the name "info"
and password "info" it sailed 
> right through.  Is it possible something is broken
here?

Did you set 'admin=true' or not, if not then the rule
doesn't apply to you but only to users.

> 
> I guess I knew that the test_weak was there even though
it is not listed 
> as a command in the tellmail help (maybe an update
needed in the help?)
> 
> The results were pretty ugly.  I have to ask what do
you probe for on 10 
> tries and 23 tries.  Because a bunch failed at eitehr
10 or 23.

LOL, 10 = "password" and 23 = "the account
name"

We made the output deliberately vague as it seemed wrong to
actually display the users password even if it
was obvious.

	ChrisP.
> 
> At 01:13 PM 1/8/2008, Support ChrisP wrote:
>> Orin Wells wrote:
>>> Is there a way to prevent an account from being
set up with the 
>>> password defined as the user name?  For
example, fidosomedomain.com 
>>> with password fido.
>>
>> No, we will add this to part of the g_create_strict
checking in the 
>> next build. If you dont have that setting
>> then it would be worth adding it now
>>         g_create_strict "true"
>>
>> In the mean time there is a tool you can use to
help find accounts 
>> with bad passwords and it will
>> find this type of bad password:
>>                 tellmail test_weak
>>
>> ChrisP.
> 
>
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )