School performs periodic password audits. Is my password compromised?How should I respond to poor password...
Should we avoid writing fiction about historical events without extensive research?
What is the meaning of "notice to quit at once" and "Lotty points”
The need of reserving one's ability in job interviews
Find maximum of the output from reduce
PTIJ: Is all laundering forbidden during the 9 days?
Why would the IRS ask for birth certificates or even audit a small tax return?
Is there a frame of reference in which I was born before I was conceived?
Book about a time-travel war fought by computers
function only contains jump discontinuity but is not piecewise continuous
Being asked to review a paper in conference one has submitted to
Lock enemy's y-axis when using Vector3.MoveTowards to follow the player
is 'sed' thread safe
Are there other characters in the Star Wars universe who had damaged bodies and needed to wear an outfit like Darth Vader?
PTIJ: Mordechai mourning
Specific Chinese carabiner QA?
Is there a way to find out the age of climbing ropes?
“I had a flat in the centre of town, but I didn’t like living there, so …”
Is every open circuit a capacitor?
Wardrobe above a wall with fuse boxes
I can't die. Who am I?
Can a Trickery Domain cleric cast a spell through the Invoke Duplicity clone while inside a Forcecage?
How does signal strength relate to bandwidth?
How to get the first element while continue streaming?
Did Amazon pay $0 in taxes last year?
School performs periodic password audits. Is my password compromised?
How should I respond to poor password security?Should I change the password of my password manager regularly?Should I inform a random person on the internet that their data may be compromised?password strength audits and mitigationsIf I enter a password on the wrong site, should I consider it compromised?How can a weak root password be compromised?Password manager login with compromised certificatesHow could Firefox password manager talk to Chrome password manager?Can password based SSO be trivially compromised?Using password manager along with a remembered password
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.
password-management
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 3 more comments
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.
password-management
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
20
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
18
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
4
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
2
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
3
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago
|
show 3 more comments
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.
password-management
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext. My question:
- Is my understanding wrong, or has my university been storing my password in plaintext?
UPDATE: The school IT department linked me to a page explaining the various ways they check passwords. Part of the page allowed me to run the tests on my university account and display the password if it was indeed discovered from their tests. The password it displayed was an older (weaker) password of mine that was simply English words separated by spaces, which explains how they were able to find it. Thank you to all who answered.
password-management
password-management
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 14 hours ago
Gary Blake
asked yesterday
Gary BlakeGary Blake
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Gary BlakeGary Blake
33827
asked yesterday
Gary BlakeGary Blake
33827
33827
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Gary Blake is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
20
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
18
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
4
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
2
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
3
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago
|
show 3 more comments
20
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
18
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
4
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
2
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
3
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago
20
20
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
18
18
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
4
4
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
2
2
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
3
3
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago
|
show 3 more comments
5 Answers
5
active
oldest
votes
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered yesterday
Mike ScottMike Scott
8,04612231
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
@forest Exactly my point.
– kasperd
22 hours ago
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered yesterday
gowenfawrgowenfawr
53.2k11114159
add a comment |
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.
They can also check the password strength when you're logging in if they are using a single-sign-on service.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered yesterday
GhedipunkGhedipunk
813414
26
You give them your password as plaintext every time that you log on- Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.
– DKNUCKLES
yesterday
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
|
show 4 more comments
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
add a comment |
Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.
edited 11 hours ago
schroeder♦
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered yesterday
Mike ScottMike Scott
8,04612231
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
@forest Exactly my point.
– kasperd
22 hours ago
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered yesterday
Mike ScottMike Scott
8,04612231
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
@forest Exactly my point.
– kasperd
22 hours ago
add a comment |
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered yesterday
Mike ScottMike Scott
8,04612231
Your understanding is wrong. If passwords are stored as a strong salted hash, the administrator can’t find good user passwords, but can find ones that are on lists of commonly used passwords by applying the hash and salt to every password on the list and looking for a match. It’s a lot easier if the stored passwords aren’t salted, though, since in that case you only have to run it once and not once per user, so this may indicate that the stored passwords are not salted, which is contrary to best practice.
answered yesterday
Mike ScottMike Scott
8,04612231
answered yesterday
Mike ScottMike Scott
8,04612231
answered yesterday
Mike ScottMike Scott
8,04612231
answered yesterday
Mike ScottMike Scott
8,04612231
8,04612231
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
@forest Exactly my point.
– kasperd
22 hours ago
add a comment |
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
@forest Exactly my point.
– kasperd
22 hours ago
1
1
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
The phrase to search for if you want to know more about this technique is “rainbow tables”.
– Robin Whittleton
yesterday
31
31
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
@RobinWhittleton That isn't correct. Rainbow tables are not the same as hash tables or dictionaries, and they cannot encode specific passwords, only random passwords with specific patterns.
– forest
23 hours ago
2
2
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
@forest The pattern could be that the password appears on a specific list. But that would defeat the purpose of using rainbow tables in the first place. The purpose of a rainbow table is to reduce the storage space needed for precomputed hashes. If you need to store the list of passwords covered by your rainbow table you won't have gained anything.
– kasperd
22 hours ago
3
3
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
@kasperd Yeah in theory the reduction function could be a lookup table, but that would be extremely silly.
– forest
22 hours ago
1
1
@forest Exactly my point.
– kasperd
22 hours ago
@forest Exactly my point.
– kasperd
22 hours ago
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered yesterday
gowenfawrgowenfawr
53.2k11114159
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered yesterday
gowenfawrgowenfawr
53.2k11114159
add a comment |
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered yesterday
gowenfawrgowenfawr
53.2k11114159
As I understand it, there shouldn't be a way for them to periodically check my password unless my password was stored in plaintext.
Actually, there is: cracking.
There is a known practice by which system administrators run cracking tools (John the Ripper, Hashcat, etc.) against the hashed passwords. People with simple passwords can be cracked in trivial amounts of time; therefore, as they define it, if they cracked your password, it was easily discoverable and at risk.
To quote this article about John the Ripper:
How you decide to use John is up to you. You may choose to run it on
all the password hashes on your system regularly to get an idea of
what proportion of your users' passwords are insecure. You could then
consider how you could change your password policies to reduce that
proportion (perhaps by increasing the minimum length.) You may prefer
to contact users with weak passwords and ask them to change them. Or
you may decide that the problem warrants some sort of user education
program to help them select more secure passwords that they can
remember without having to write them down.
answered yesterday
gowenfawrgowenfawr
53.2k11114159
answered yesterday
gowenfawrgowenfawr
53.2k11114159
answered yesterday
gowenfawrgowenfawr
53.2k11114159
answered yesterday
gowenfawrgowenfawr
53.2k11114159
53.2k11114159
add a comment |
add a comment |
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.
They can also check the password strength when you're logging in if they are using a single-sign-on service.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered yesterday
GhedipunkGhedipunk
813414
26
You give them your password as plaintext every time that you log on- Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.
– DKNUCKLES
yesterday
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
|
show 4 more comments
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.
They can also check the password strength when you're logging in if they are using a single-sign-on service.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered yesterday
GhedipunkGhedipunk
813414
26
You give them your password as plaintext every time that you log on- Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.
– DKNUCKLES
yesterday
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
|
show 4 more comments
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.
They can also check the password strength when you're logging in if they are using a single-sign-on service.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered yesterday
GhedipunkGhedipunk
813414
Your university may not have stored your password in plaintext. They have a very easy way to get the plaintext of your password, and I suspect that they have access to it at least a couple times per day.
You give them your password as plaintext every time that you log on.
If you're logging into an application that they host, such as a site to manage online classes or to check your grades, and they have the source code for that online application, then they can trivially get access to your plaintext password without storing it or transmitting it to another system, and can check the security of your password at that point.
They can also check the password strength when you're logging in if they are using a single-sign-on service.
However, it's still extremely fishy. Contact your university's IT department and verify that they are storing your password securely. Ask pointed questions on how they checked your password.
And the rest of my advice follows standard internet authentication advice: Do not click on any links in that email; if you do change your password, do so through normal means and not a link that was emailed to you. Use a password manager to store and generate long random passwords. (Ideally, you should only know 2 of your passwords: The one to log into your computer, and the one to log into your password manager.) Never reuse a password for any purpose.
And while you're talking to the university's IT department, ask them about 2-factor authentication.
answered yesterday
GhedipunkGhedipunk
813414
edited 11 hours ago
answered yesterday
GhedipunkGhedipunk
813414
answered yesterday
GhedipunkGhedipunk
813414
answered yesterday
GhedipunkGhedipunk
813414
813414
26
You give them your password as plaintext every time that you log on- Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.
– DKNUCKLES
yesterday
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
|
show 4 more comments
26
You give them your password as plaintext every time that you log on- Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.
– DKNUCKLES
yesterday
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
26
26
You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.– DKNUCKLES
yesterday
You give them your password as plaintext every time that you log on - Unless they extract this from memory from the host (which I would say is highly unlikely), or it's a very poorly configured web app it's hard for me to imagine a scenario where this is how they've done password audits.– DKNUCKLES
yesterday
2
2
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
@DKNUCKLES You've never seen a web app that checks password strength locally before sending it?? It's very common in sign-up forms and I've hit systems that applied it after the fact and would refuse "weak" passwords, forcing the use of the lost password system. (I much prefer passphrases to $pec1al character$ and have been bit more than once.)
– Loren Pechtel
yesterday
4
4
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
@LorenPechtel This is a different scenario than what OP is referring to. Client-side validation of password strength prior to setting a password is not difficult and can be done without exposing a plaintext password. OP describes an existing password that was retroactively audited.
– DKNUCKLES
yesterday
9
9
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
@DKNUCKLES But who says it was retroactive? Put the audit code into the client, it tells the server the password is weak.
– Loren Pechtel
yesterday
4
4
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
If there's a single sign on service, it's not unbelievable that password strength could be checked server-side at the same time as validity when the user logs in.
– Gremlin
15 hours ago
|
show 4 more comments
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
add a comment |
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
There are a few assumptions that need to be made here, but what I would imagine that University Password that you refer to, is the password to an Active Directory account. Active Directory passwords deal with passwords in an NTLM hashing format, which are not salted. With this in mind, the same password in different environments will have the same hashed value.
Troy Hunt offers a service called Pwned Passwords that allows administrators to download 517 Million password hashes. It is possible that your school's IT department is comparing the password hashes in their Active Directory, with hashes that appear many times in the aforementioned data.
While storing passwords in plaintext does happen from time to time (mostly in proprietary web applications), the aforementioned scenario would be my assumption as to how they've determined your password is weak.
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
answered yesterday
DKNUCKLESDKNUCKLES
8,29923147
8,29923147
add a comment |
add a comment |
Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.
edited 11 hours ago
schroeder♦
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
add a comment |
Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.
edited 11 hours ago
schroeder♦
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
add a comment |
Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.
edited 11 hours ago
schroeder♦
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Passwords are not stored in plain text and as a practice it should be encrypted and stored in whatever ways technically. However, due to security band compliance, passwords can be decrypted using various technical algorithms and run through patterns to find weak passwords. Your university must have done this and notified you.
edited 11 hours ago
schroeder♦
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 11 hours ago
schroeder♦
77.1k30171206
edited 11 hours ago
schroeder♦
77.1k30171206
edited 11 hours ago
schroeder♦
77.1k30171206
77.1k30171206
answered 15 hours ago
Atul KumarAtul Kumar
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 15 hours ago
Atul KumarAtul Kumar
1
answered 15 hours ago
Atul KumarAtul Kumar
1
1
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Atul Kumar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
add a comment |
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
2
2
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
I believe the phrase you are looking for is hashed, not encrypted. If you do mean encrypted then that is incorrect as it is reversible. I think you mean hashed because you mention the way to reverse the process as "various technical algorithms" rather than simply "decryption".
– Captain Man
12 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
1: Define '"security band compliance'. 2: "various technical algorithms" has no meaning. 3: Hint; You can delete your question.
– zaph
4 hours ago
add a comment |
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Gary Blake is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204777%2fschool-performs-periodic-password-audits-is-my-password-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
20
Contact the IT department just to make sure. Especially if you got it through email. Could be a phishing attempt.
– TurkuSama
yesterday
18
Perhaps they are cracking hashes? Perhaps they are using haveibeenpwned or something similar. Is your password fairly weak?
– DarkMatter
yesterday
4
could be easy for a dictionary attack depending on how it is constructed... but still it seems a little ambitious for your school's IT dept to be doing that :)
– DarkMatter
yesterday
2
I've already changed the password, so I might as well tell the format. It followed that XKCD format with english words separated by special characters.
– Gary Blake
yesterday
3
Hearing that you had an XKCD format password and they showed it to you on the check site makes me even more suspicious that they have your password in plain text.
– user3067860
10 hours ago