Passwordlist of all user en mail accounts

P

prohostings

Verified User
Joined
Jul 3, 2009
Messages
6
Our server has over 400 users, wit all kindsof accounts.
We suspect tere are a few un safe password's that are probably hacked.
Is there a scrip that can generate all account's + password's?
 
Not easily or quickly, since passwords are kept in one-way encodes.

So any script would have to try all passwords in a brute-force attack and record success.

Jeff
 
is it maybe then possible to retrieve a list of users with unsafe passwords (we don't need to see the password but we just want to make sure that our users work with safe password)

somebody was abusing our smtp after retrieving a customers password which was '123', is there a solution so that a user can not set an unsecure password and work for example with following criteria:

- minimum 8 characters
- minimum 1 CAPITAL character
- minimum 1 number

it's really important for us that users are forced to enter a secure password and that it's impossible to fill in f.e. '123' because than the user gets easily hacked, followed by smtp abuse, followed by server blacklist...
 
You could ask it as a feature (and I would like it too), right now it can be done by scripting every insertion and modification of passwords within the interface.
 
tillo,

There's also a program that's probably on every 'nix box which you can use to try a dictionary attack against your own box. I'd post the name if I remembered it but I don't.

Do you? Or is it something you know but would rather not post :) ?

Jeff
 
It wouldn't make much difference if I post it or not :) I don't believe in security through obscurity.

I generally use John the Ripper for a passive bruteforce attack and THC Hydra for an active one.
There are good repositories of wordlists usable in both programs all over the web, I'd go for http://www.openwall.com/wordlists/ and support the good guys that created john. The CrackLib project also has a nice small list.
 
Last edited:
tillo said:
I don't believe in security through obscurity.
Click to expand...

I believe steganography and cryptography complement each other and are not in opposition. But that is another thread.
 
Of course, I also believe that but just because I don't think steganography can be called security through obscurity. It's not obscured confidential information, it's public confidential information that looks like normal public information to any third party.
Like you said, it's another thread :)
 
John the Ripper was the one I was thinking of; I just couldn't remember the name.

Jeff
 
You must log in or register to reply here.
Back
Top