One of the more interesting questions that arose from the recent password audit is whether IS is aware of account passwords – i.e. do we know your password.
The short answer to that is: No, but with a caveat.
First of all, only one person in IS has any authorised access at all to any disclosed passwords. The password auditor (that’s me).
Secondly, only weak passwords are available. Strong passwords – those passwords that cannot be “cracked” within a reasonable time-frame – are not available.
Finally, I don’t want access to the passwords, so although I have theoretical access to the weak account passwords I make sure that the association between usernames and passwords is broken very quickly – I may know that “fred” has a weak password but not what password it is, and I may know that X is a widely used password, but I don’t know who uses that password.