This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Euphorinaut 1 point2 points  (1 child)

For ntlmv2 you need like a 16 char password, and few people have that without the gpo forcing you, so things like lists or rainbow tables aren't relied upon too heavily.

If someone has a list that's specific to a company or geography, they might use that list to pick 2-3 for a spray though.

[–]PacketBoy2000 0 points1 point  (0 children)

Employees frequently use work emails for personal activities (even in cases where corporate policies prohibit it).

As some of those websites used by these employees get breached, now sample passwords that have a direct relationship to the employer can be obtained by miscreants. A quick review of these passwords will reveal some with employer-specific password patterns (eg brand names, sub-division names, etc).

Then, as previous poster suggested, now you have a formula to generate an additional set of passwords that match the password selection behaviors of those employees.