How to change CS account password
If you do not know your current CS account password, please contact firstname.lastname@example.org.
- Using CLIC Machines or Compute Machines
$ ssh email@example.com or ssh firstname.lastname@example.org (compute01-compute08) $ passwd Enter login(LDAP) password: Re-enter new password: LDAP password information changed for username passwd: password updated successfully $
If you do not know your current WIN-CS account password, please contact email@example.com.
- Using any WIN-CS domain computers
1. Login to any WIN-XP machine on the WIN-CS domain. 2. Press ctrl + alt + del to see Windows Security Screen. 3. Press "Change Password..." button. 4. Type your new password. (Make sure you are in "WIN-CS") 5. Press "Okay" to make change.
Here we take a few paragraphs to explain what the “Crack” program is and isn’t, how it works, and suggest some sorts of ways to form more secure passwords.
By the way, the program and the lists described below are all publically available. We just would like to keep ourselves one step ahead of the amateur cracker.
The “Crack” program is a password GUESSING program. It takes any provided list of “words” and a list of ENCRYPTED passwords, and then tries to find which words, when encrypted match one or more encrypted passwords. Here the term “words” means any string of acceptable characters. Some things that might be outside of one’s expectation of words are words in this sense including “1”, “qwerty”, “98765432”, etc.
The “Crack” program, while it is a brute-force guesser, is not a blind guesser. There are about 124^8 (about 5.96 E 16) combinations of 8 characters possible. If one systematically tried all 8 character strings at 1000 tries per second on 1000 machines in parallel, it would take about 18 centuries to exhaustively cover that search space. (Expected time (50% probability level) to crack exactly 1 password would be only 9 centuries. If there were 100 randomly chosen passwords (uniform distribution), this expectation drops to only 18.8 years to find one but still is at 944 years to expect to cover 50 of them.)
People, however, do not tend to choose random strings. They tend to pick keyboard patterns (like “qwerty”, “!@#$%^&*’, etc.) and natural language words. Suddenly an adversary doesn’t have to try 5.96E16 strings. With our current list of “words”, we make about 2.2E7 attempts against a password that we do not break. This can be done on one machine at 1000 tries per second in 6 hours.
Currently our success rate (or should we view this as the failure rate) sits at 22% using a lists of dutch, english, french, german, italian, norwegian and swedish words plus lists of names, jargon words, keyboard patterns and anything else people tend to use when picking passwords. Of course, new lists of words are added when available. In other words do NOT assume hebrew, spanish, korean, chinese, and japanese are safe.
Things to AVOID:
Some password constructions are easily guessed by a program such as Crack and should be avoided! Crack uses about 77 variations on the GECOS information and 240 variations on the dictionaries.
* For the GECOS information this starts with the words in the GECOS field and the initials of that field. To quote from the Crack documentation,
The data fed to the gecos rules for the user aem, who is “Alec David Muffett, Systems” would be: aem, Alec, David, Muffett, Systems, and a series of permutations of those words, either re-ordering the words and joining them together (eg: AlecMuffett), or making up new words based on initial letters of one word taken with the rest of another (eg: AMuffett).
Crack then tries these directly, uppercased, lowercased, reversed, doubled up (e.g. “aemaem”), mirrored (e.g. “aemmea”), capitalized, capitalized and doubled, capitalized and flipped, with appended punctuation and digits (e.g. “aem!”, “aem.”, “aem3”), with prepended strings (e.g. “!aem”)
For the dictionary attacks, instead of using GECOS information Crack uses the word lists available. It tries, among other things:
- Force every pure alphabetic word lowercase and try it
- Pluralise every significant one of the above
- Try variations of anything that is not pure alnum
- Any alphaword >2 & <8 chars long, append a digit or simple punctuation since few ppl add non alpha chars to a already non-alpha word
- Lowercase every pure alphabetic word and reverse it
- Capitalise every pure alnum word (ie: not anything which is not alnum)
- Anything uppercase
- Pure alphabetic words with vowels removed which are still fairly long
- Longish pure words lowercased and reflected
- Words containing whitespace, which is then squeezed out
- In a similar vein, words with punctuation, squeezed out
- Reasonably short words, duplicated. eg: “fredfred”
- various combinations based on graphic or phonetic similarities such as “l”->”1″, “o” -> “0”, “0” -> “o”, “e” -> “3”, “a” -> “2”
- Prefixing words with digits and punctuation
- Capitalise and then reverse every word (eg: “derF”)
- Reverse and then capitalise every alphabetic word (eg: “Derf”)
- Pure words capitalised with various ejaculatory punctuation added eg: “Cats!” for Andrew Floyd-Drebber fans…
- Uppercase words with various things appended or swapped out
- Really weird uppercase variations (doubled, mirrored, reversed)