School performs periodic password audits. Is my password compromised?If a website allows another person to...
What are the issues with an additional (limited) concentration slot instead of Bladesong?
Why do members of Congress in committee hearings ask witnesses the same question multiple times?
I encountered my boss during an on-site interview at another company. Should I bring it up when seeing him next time?
Difference between 'stomach' and 'uterus'
How to kill a localhost:8080
If a set is open, does that imply that it has no boundary points?
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
Book about a time-travel war fought by computers
Sometimes a banana is just a banana
Do higher etale homotopy groups of spectrum of a field always vanish?
Analog Mute Circuit - Simplest Solution
Make me a metasequence
In iTunes 12 on macOS, how can I reset the skip count of a song?
Rationale to prefer local variables over instance variables?
Why doesn't Object.keys return a keyof type in TypeScript?
Test pad's ESD protection
Is divide-by-zero a security vulnerability?
A bug in Excel? Conditional formatting for marking duplicates also highlights unique value
Why are special aircraft used for the carriers in the united states navy?
Wrap all numerics in JSON with quotes
Is there a frame of reference in which I was born before I was conceived?
Are paired adjectives bad style?
Dystopian novel where telepathic humans live under a dome
Skis versus snow shoes - when to choose which for travelling the backcountry?
School performs periodic password audits. Is my password compromised?
If a website allows another person to get a list of the site's users passwords, how likely is it that the passwords are stored in cleartext?How should I respond to poor password security?Password sent via email upon registrationIdea feedback wanted - easy and secure web notes manager (javascript)Webpage sent me my password in clear text can it be secure?How to help users manage password portfolios based on risks of compromise?Is it insecure to reveal if a password is being used for another account after a set period of time?Should VPN passwords be stored in plaintext?What can/should I do about gross lack of IT security at another company?I accidentally entered password for a website as a username for another website
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
password-management
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 5 more comments
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
password-management
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
1
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
1
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago
|
show 5 more comments
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
password-management
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
password-management
password-management
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Gary BlakeGary Blake
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Gary BlakeGary Blake
111
asked 6 hours ago
Gary BlakeGary Blake
111
111
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
1
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
1
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago
|
show 5 more comments
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
1
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
1
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
1
1
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
1
1
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago
|
show 5 more comments
4 Answers
4
active
oldest
votes
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
They may have used one of your login attempts to check if your password is secure.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered 5 hours ago
GhedipunkGhedipunk
613412
You give them your password as plaintext every time that you log on- uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.
– DKNUCKLES
8 mins ago
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered 5 hours ago
Mike ScottMike Scott
7,7812030
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
They may have used one of your login attempts to check if your password is secure.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered 5 hours ago
GhedipunkGhedipunk
613412
You give them your password as plaintext every time that you log on- uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.
– DKNUCKLES
8 mins ago
add a comment |
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
They may have used one of your login attempts to check if your password is secure.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered 5 hours ago
GhedipunkGhedipunk
613412
You give them your password as plaintext every time that you log on- uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.
– DKNUCKLES
8 mins ago
add a comment |
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
They may have used one of your login attempts to check if your password is secure.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered 5 hours ago
GhedipunkGhedipunk
613412
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
They may have used one of your login attempts to check if your password is secure.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered 5 hours ago
GhedipunkGhedipunk
613412
answered 5 hours ago
GhedipunkGhedipunk
613412
answered 5 hours ago
GhedipunkGhedipunk
613412
answered 5 hours ago
GhedipunkGhedipunk
613412
613412
You give them your password as plaintext every time that you log on- uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.
– DKNUCKLES
8 mins ago
add a comment |
You give them your password as plaintext every time that you log on- uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.
– DKNUCKLES
8 mins ago
You give them your password as plaintext every time that you log on - uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.– DKNUCKLES
8 mins ago
You give them your password as plaintext every time that you log on - uhh, can you explain that? It's hard for me to imagine a scenario where this is the case.– DKNUCKLES
8 mins ago
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
answered 5 hours ago
DKNUCKLESDKNUCKLES
8,20023146
8,20023146
add a comment |
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered 5 hours ago
Mike ScottMike Scott
7,7812030
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered 5 hours ago
Mike ScottMike Scott
7,7812030
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered 5 hours ago
Mike ScottMike Scott
7,7812030
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered 5 hours ago
Mike ScottMike Scott
7,7812030
answered 5 hours ago
Mike ScottMike Scott
7,7812030
answered 5 hours ago
Mike ScottMike Scott
7,7812030
answered 5 hours ago
Mike ScottMike Scott
7,7812030
7,7812030
add a comment |
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
answered 4 hours ago
gowenfawrgowenfawr
53k11113158
53k11113158
add a comment |
add a comment |
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
5 hours ago
1
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
5 hours ago
It's a strong password, but doesn't have any numbers, I am assuming that's why they are flagging it as weak.
– Gary Blake
5 hours ago
How many characters is it? Does it use any english words? Have you reused it for anything else?
– DarkMatter
5 hours ago
1
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
5 hours ago