> I have seen experienced sysadmins create the test user with the password of "t... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

mananaysiempre 43 days ago | parent | context | favorite | on: OpenSSH introduces options to penalize undesirable...

> I have seen experienced sysadmins create the test user with the password of "test" on a live server on port 22 because they were having an "autopilot moment".

pam_pwnd[1], testing passwords against the Pwned Passwords database, is a(n unfortunately abandoned but credibly feature complete) thing. (It uses the HTTP service, though, not a local dump.)

[1] https://github.com/skx/pam_pwnd

1oooqooq 43 days ago [–]

meh. enabling any of the (fully local) complexity rules pretty much had the same practical effect of checking against a leak.

if the password have decent entropy, it won't be in the top 1000 of the leaks so not used in blond brute force like this.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact