[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    RE: Where are Windows "Enforce password history" passwords stored?
From:       "Nick Duda" <nduda () VistaPrint ! com>
Date:       2005-08-31 11:21:55
Message-ID: 6570EF1DE8D49B469FD6397DE5558AE509AB50E0 () lexmail ! vistaprint ! net
[Download RAW message or body]

I agree...having access to pas passwords is a big gain. Consider the
following, an employee uses the following password scheme, Password1,
Password2, Password3, Password4 and the current password is Password5.
I'll bet you I know what the next password will be.

- Nick

-----Original Message-----
From: Wil.Allsopp@ins.com [mailto:Wil.Allsopp@ins.com] 
Sent: Tuesday, August 30, 2005 4:59 PM
To: pen-test@securityfocus.com
Subject: RE: Where are Windows "Enforce password history" passwords
stored?

James Leighe [jamesleighe@gmail.com] wrote:

>It's stored as a hash, so if you find out how to access them, you
>would have to crack it. So basically, it's not worth the time when an
>attacker could just go for the current password.


This shows a fundamental misunderstanding of security as well as the way
hackers think. There are many advantages for an attacker to have your
previous passwords - passwords are reused and some may be current on
peripheral or entirely separate systems.

Wil



[prev in list] [next in list] [prev in thread] [next in thread]