School performs periodic password audits. Is my password compromised?How should I respond to poor password...

Should we avoid writing fiction about historical events without extensive research?

What is the meaning of "notice to quit at once" and "Lotty points”

The need of reserving one's ability in job interviews

Find maximum of the output from reduce

PTIJ: Is all laundering forbidden during the 9 days?

Why would the IRS ask for birth certificates or even audit a small tax return?

Is there a frame of reference in which I was born before I was conceived?

Book about a time-travel war fought by computers

function only contains jump discontinuity but is not piecewise continuous

Being asked to review a paper in conference one has submitted to

Lock enemy's y-axis when using Vector3.MoveTowards to follow the player

is 'sed' thread safe

Are there other characters in the Star Wars universe who had damaged bodies and needed to wear an outfit like Darth Vader?

PTIJ: Mordechai mourning

Specific Chinese carabiner QA?

Is there a way to find out the age of climbing ropes?

“I had a flat in the centre of town, but I didn’t like living there, so …”

Is every open circuit a capacitor?

Wardrobe above a wall with fuse boxes

I can't die. Who am I?

Can a Trickery Domain cleric cast a spell through the Invoke Duplicity clone while inside a Forcecage?

How does signal strength relate to bandwidth?

How to get the first element while continue streaming?

Did Amazon pay $0 in taxes last year?



School performs periodic password audits. Is my password compromised?


How should I respond to poor password security?Should I change the password of my password manager regularly?Should I inform a random person on the internet that their data may be compromised?password strength audits and mitigationsIf I enter a password on the wrong site, should I consider it compromised?How can a weak root password be compromised?Password manager login with compromised certificatesHow could Firefox password manager talk to Chrome password manager?Can password based SSO be trivially compromised?Using password manager along with a remembered password













58















My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:




  • Is my understanding wrong, or has my university been storing my password in plaintext?


UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.










share|improve this question









New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 20





    Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

    – TurkuSama
    yesterday






  • 18





    Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

    – DarkMatter
    yesterday








  • 4





    could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

    – DarkMatter
    yesterday






  • 2





    I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

    – Gary Blake
    yesterday






  • 3





    Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

    – user3067860
    10 hours ago
















58















My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:




  • Is my understanding wrong, or has my university been storing my password in plaintext?


UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.










share|improve this question









New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 20





    Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

    – TurkuSama
    yesterday






  • 18





    Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

    – DarkMatter
    yesterday








  • 4





    could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

    – DarkMatter
    yesterday






  • 2





    I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

    – Gary Blake
    yesterday






  • 3





    Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

    – user3067860
    10 hours ago














58












58








58


4






My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:




  • Is my understanding wrong, or has my university been storing my password in plaintext?


UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.










share|improve this question









New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:




  • Is my understanding wrong, or has my university been storing my password in plaintext?


UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.







password-management






share|improve this question









New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 14 hours ago







Gary Blake













New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Gary BlakeGary Blake

33827




33827




New contributor




Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 20





    Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

    – TurkuSama
    yesterday






  • 18





    Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

    – DarkMatter
    yesterday








  • 4





    could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

    – DarkMatter
    yesterday






  • 2





    I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

    – Gary Blake
    yesterday






  • 3





    Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

    – user3067860
    10 hours ago














  • 20





    Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

    – TurkuSama
    yesterday






  • 18





    Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

    – DarkMatter
    yesterday








  • 4





    could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

    – DarkMatter
    yesterday






  • 2





    I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

    – Gary Blake
    yesterday






  • 3





    Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

    – user3067860
    10 hours ago








20




20





Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

– TurkuSama
yesterday





Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.

– TurkuSama
yesterday




18




18





Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

– DarkMatter
yesterday







Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?

– DarkMatter
yesterday






4




4





could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

– DarkMatter
yesterday





could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)

– DarkMatter
yesterday




2




2





I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

– Gary Blake
yesterday





I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.

– Gary Blake
yesterday




3




3





Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

– user3067860
10 hours ago





Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.

– user3067860
10 hours ago










5 Answers
5






active

oldest

votes


















102














Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.






share|improve this answer



















  • 1





    The phrase to search for if you want to know more about this technique is “rainbow tables”.

    – Robin Whittleton
    yesterday






  • 31





    @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

    – forest
    23 hours ago








  • 2





    @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

    – kasperd
    22 hours ago






  • 3





    @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

    – forest
    22 hours ago








  • 1





    @forest Exactly my point.

    – kasperd
    22 hours ago



















27















As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.




Actually, there is: cracking.



There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.



To quote this article about John the Ripper:




How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them.
Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.







share|improve this answer































    23














    Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.



    You give them your password as plaintext every time that you log on.



    If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.



    They can also check the password strength when you're logging in if they are using a single-sign-on service.



    However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.



    And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.



    And while you're talking to the university's IT department, ask them about 2-factor authentication.






    share|improve this answer





















    • 26





      You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

      – DKNUCKLES
      yesterday








    • 2





      @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

      – Loren Pechtel
      yesterday






    • 4





      @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

      – DKNUCKLES
      yesterday








    • 9





      @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

      – Loren Pechtel
      yesterday






    • 4





      If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

      – Gremlin
      15 hours ago



















    14














    There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.



    Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.



    While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.






    share|improve this answer































      -6














      Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.






      share|improve this answer










      New contributor




      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 2





        I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

        – Captain Man
        12 hours ago













      • 1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

        – zaph
        4 hours ago













      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      102














      Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.






      share|improve this answer



















      • 1





        The phrase to search for if you want to know more about this technique is “rainbow tables”.

        – Robin Whittleton
        yesterday






      • 31





        @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

        – forest
        23 hours ago








      • 2





        @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

        – kasperd
        22 hours ago






      • 3





        @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

        – forest
        22 hours ago








      • 1





        @forest Exactly my point.

        – kasperd
        22 hours ago
















      102














      Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.






      share|improve this answer



















      • 1





        The phrase to search for if you want to know more about this technique is “rainbow tables”.

        – Robin Whittleton
        yesterday






      • 31





        @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

        – forest
        23 hours ago








      • 2





        @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

        – kasperd
        22 hours ago






      • 3





        @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

        – forest
        22 hours ago








      • 1





        @forest Exactly my point.

        – kasperd
        22 hours ago














      102












      102








      102







      Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.






      share|improve this answer













      Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered yesterday









      Mike ScottMike Scott

      8,04612231




      8,04612231








      • 1





        The phrase to search for if you want to know more about this technique is “rainbow tables”.

        – Robin Whittleton
        yesterday






      • 31





        @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

        – forest
        23 hours ago








      • 2





        @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

        – kasperd
        22 hours ago






      • 3





        @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

        – forest
        22 hours ago








      • 1





        @forest Exactly my point.

        – kasperd
        22 hours ago














      • 1





        The phrase to search for if you want to know more about this technique is “rainbow tables”.

        – Robin Whittleton
        yesterday






      • 31





        @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

        – forest
        23 hours ago








      • 2





        @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

        – kasperd
        22 hours ago






      • 3





        @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

        – forest
        22 hours ago








      • 1





        @forest Exactly my point.

        – kasperd
        22 hours ago








      1




      1





      The phrase to search for if you want to know more about this technique is “rainbow tables”.

      – Robin Whittleton
      yesterday





      The phrase to search for if you want to know more about this technique is “rainbow tables”.

      – Robin Whittleton
      yesterday




      31




      31





      @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

      – forest
      23 hours ago







      @RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.

      – forest
      23 hours ago






      2




      2





      @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

      – kasperd
      22 hours ago





      @forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.

      – kasperd
      22 hours ago




      3




      3





      @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

      – forest
      22 hours ago







      @kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.

      – forest
      22 hours ago






      1




      1





      @forest Exactly my point.

      – kasperd
      22 hours ago





      @forest Exactly my point.

      – kasperd
      22 hours ago













      27















      As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.




      Actually, there is: cracking.



      There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.



      To quote this article about John the Ripper:




      How you decide to use John is up to you. You may choose to run it on
      all the password hashes on your system regularly to get an idea of
      what proportion of your users' passwords are insecure. You could then
      consider how you could change your password policies to reduce that
      proportion (perhaps by increasing the minimum length.) You may prefer
      to contact users with weak passwords and ask them to change them.
      Or
      you may decide that the problem warrants some sort of user education
      program to help them select more secure passwords that they can
      remember without having to write them down.







      share|improve this answer




























        27















        As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.




        Actually, there is: cracking.



        There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.



        To quote this article about John the Ripper:




        How you decide to use John is up to you. You may choose to run it on
        all the password hashes on your system regularly to get an idea of
        what proportion of your users' passwords are insecure. You could then
        consider how you could change your password policies to reduce that
        proportion (perhaps by increasing the minimum length.) You may prefer
        to contact users with weak passwords and ask them to change them.
        Or
        you may decide that the problem warrants some sort of user education
        program to help them select more secure passwords that they can
        remember without having to write them down.







        share|improve this answer


























          27












          27








          27








          As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.




          Actually, there is: cracking.



          There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.



          To quote this article about John the Ripper:




          How you decide to use John is up to you. You may choose to run it on
          all the password hashes on your system regularly to get an idea of
          what proportion of your users' passwords are insecure. You could then
          consider how you could change your password policies to reduce that
          proportion (perhaps by increasing the minimum length.) You may prefer
          to contact users with weak passwords and ask them to change them.
          Or
          you may decide that the problem warrants some sort of user education
          program to help them select more secure passwords that they can
          remember without having to write them down.







          share|improve this answer














          As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.




          Actually, there is: cracking.



          There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.



          To quote this article about John the Ripper:




          How you decide to use John is up to you. You may choose to run it on
          all the password hashes on your system regularly to get an idea of
          what proportion of your users' passwords are insecure. You could then
          consider how you could change your password policies to reduce that
          proportion (perhaps by increasing the minimum length.) You may prefer
          to contact users with weak passwords and ask them to change them.
          Or
          you may decide that the problem warrants some sort of user education
          program to help them select more secure passwords that they can
          remember without having to write them down.








          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          gowenfawrgowenfawr

          53.2k11114159




          53.2k11114159























              23














              Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.



              You give them your password as plaintext every time that you log on.



              If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.



              They can also check the password strength when you're logging in if they are using a single-sign-on service.



              However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.



              And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.



              And while you're talking to the university's IT department, ask them about 2-factor authentication.






              share|improve this answer





















              • 26





                You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

                – DKNUCKLES
                yesterday








              • 2





                @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

                – Loren Pechtel
                yesterday






              • 4





                @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

                – DKNUCKLES
                yesterday








              • 9





                @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

                – Loren Pechtel
                yesterday






              • 4





                If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

                – Gremlin
                15 hours ago
















              23














              Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.



              You give them your password as plaintext every time that you log on.



              If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.



              They can also check the password strength when you're logging in if they are using a single-sign-on service.



              However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.



              And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.



              And while you're talking to the university's IT department, ask them about 2-factor authentication.






              share|improve this answer





















              • 26





                You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

                – DKNUCKLES
                yesterday








              • 2





                @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

                – Loren Pechtel
                yesterday






              • 4





                @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

                – DKNUCKLES
                yesterday








              • 9





                @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

                – Loren Pechtel
                yesterday






              • 4





                If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

                – Gremlin
                15 hours ago














              23












              23








              23







              Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.



              You give them your password as plaintext every time that you log on.



              If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.



              They can also check the password strength when you're logging in if they are using a single-sign-on service.



              However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.



              And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.



              And while you're talking to the university's IT department, ask them about 2-factor authentication.






              share|improve this answer















              Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.



              You give them your password as plaintext every time that you log on.



              If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.



              They can also check the password strength when you're logging in if they are using a single-sign-on service.



              However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.



              And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.



              And while you're talking to the university's IT department, ask them about 2-factor authentication.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited 11 hours ago

























              answered yesterday









              GhedipunkGhedipunk

              813414




              813414








              • 26





                You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

                – DKNUCKLES
                yesterday








              • 2





                @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

                – Loren Pechtel
                yesterday






              • 4





                @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

                – DKNUCKLES
                yesterday








              • 9





                @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

                – Loren Pechtel
                yesterday






              • 4





                If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

                – Gremlin
                15 hours ago














              • 26





                You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

                – DKNUCKLES
                yesterday








              • 2





                @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

                – Loren Pechtel
                yesterday






              • 4





                @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

                – DKNUCKLES
                yesterday








              • 9





                @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

                – Loren Pechtel
                yesterday






              • 4





                If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

                – Gremlin
                15 hours ago








              26




              26





              You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

              – DKNUCKLES
              yesterday







              You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.

              – DKNUCKLES
              yesterday






              2




              2





              @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

              – Loren Pechtel
              yesterday





              @DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)

              – Loren Pechtel
              yesterday




              4




              4





              @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

              – DKNUCKLES
              yesterday







              @LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.

              – DKNUCKLES
              yesterday






              9




              9





              @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

              – Loren Pechtel
              yesterday





              @DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.

              – Loren Pechtel
              yesterday




              4




              4





              If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

              – Gremlin
              15 hours ago





              If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.

              – Gremlin
              15 hours ago











              14














              There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.



              Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.



              While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.






              share|improve this answer




























                14














                There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.



                Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.



                While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.






                share|improve this answer


























                  14












                  14








                  14







                  There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.



                  Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.



                  While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.






                  share|improve this answer













                  There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.



                  Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.



                  While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered yesterday









                  DKNUCKLESDKNUCKLES

                  8,29923147




                  8,29923147























                      -6














                      Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.






                      share|improve this answer










                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 2





                        I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                        – Captain Man
                        12 hours ago













                      • 1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                        – zaph
                        4 hours ago


















                      -6














                      Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.






                      share|improve this answer










                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.
















                      • 2





                        I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                        – Captain Man
                        12 hours ago













                      • 1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                        – zaph
                        4 hours ago
















                      -6












                      -6








                      -6







                      Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.






                      share|improve this answer










                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.










                      Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.







                      share|improve this answer










                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer








                      edited 11 hours ago









                      schroeder

                      77.1k30171206




                      77.1k30171206






                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered 15 hours ago









                      Atul KumarAtul Kumar

                      1




                      1




                      New contributor




                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.








                      • 2





                        I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                        – Captain Man
                        12 hours ago













                      • 1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                        – zaph
                        4 hours ago
















                      • 2





                        I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                        – Captain Man
                        12 hours ago













                      • 1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                        – zaph
                        4 hours ago










                      2




                      2





                      I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                      – Captain Man
                      12 hours ago







                      I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".

                      – Captain Man
                      12 hours ago















                      1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                      – zaph
                      4 hours ago







                      1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.

                      – zaph
                      4 hours ago












                      Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.













                      Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.












                      Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      El tren de la libertad Índice Antecedentes "Porque yo decido" Desarrollo de la...

                      Castillo d'Acher Características Menú de navegación

                      Connecting two nodes from the same mother node horizontallyTikZ: What EXACTLY does the the |- notation for...