Security Basics mailing list archives

Re: How do you conduct a password audit?

From: "S.k" <skrjsa () gmail com>
Date: Sat, 14 May 2011 10:21:25 +0530

yes,that's very true.non-tech guys even at the higher posts areirritatingly ignorant about security issues!anyway,may be you can tryrecreating your network environment in vmware and do some recordings ofweak and strong password cracking attempts...and then show it to the topmanagement guys!for password auditing not only the technical aspects ,training employeesagainst social engineering and safe online behavior is also very important.


On Fri, 13 May 2011 22:58:21 +0530, Matthew Reed <mreed () cgx com> wrote:

Speaking from a safe practice perspective:
Before ANY passwords are cracked, you should have specific permissionfrom the highest possible source of management. This permission shouldbe documented in writing.
Once permission has been granted, any passwords that have been crackedshould be set for automatic password change by the user. If this is notin place there can be issues with repudiation of any security incidents.i.e. It has happened in the past that users who violated companypolicies/legal statutes were able to avoid sanctions by claiming thatthe integrity of their account was compromised by password audits.
These 2 practices will help anyone auditing passwords avoid potentialissues.
MR

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Edd Burgess
Sent: Friday, May 13, 2011 10:14 AM
To: security-basics () securityfocus com
Subject: Re: How do you conduct a password audit?

I have seen an automatic audit setup on a linux server before as a cron
job; just running john the ripper against the shadow file once a week
and storing any weak results so the sysadmin can contact the relativeusers.
In other words, if you are worried about broaching the subject with
management, try to crack the passwords yourself - In my experience,
non-techs are more convinced by actual evidence; 'I managed to crack
your password in 3mins' than any amount of advice/information you can
throw at them. I had to actually ARP poison my boss and sniff an FTP
password to convince him to let me secure our office wifi!


On 13/05/2011 12:47, wyfr1972 () gmail com wrote:
Hi folks,
I have many questions on this. I've learnt a lot from SecBasics, butnow I have a few questions of my own. I want to carry out a passwordaudit for my company, but I'm not sure how to proceed.
Firstly, how do I broach the subject with management? Are there arestandards/methodologies online that I can use to back up my request tomanagement?
Then, how do you conduct the audit? We have a mix of devicesWindows/Solaris/Unix/Checkpoint/Cisco/network printers/etc.
How do I phase the work for best effect?  How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs anSSL certificate. We look at how SSL works, how it benefits yourcompany and how your customers can tell if a site is secure. You willfind out how to test, purchase, install and use a thawte DigitalCertificate on your Apache web server. Throughout, best practices forset-up are highlighted to help you ensure efficient ongoing managementof your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs anSSL certificate. We look at how SSL works, how it benefits your companyand how your customers can tell if a site is secure. You will find outhow to test, purchase, install and use a thawte Digital Certificate onyour Apache web server. Throughout, best practices for set-up arehighlighted to help you ensure efficient ongoing management of yourencryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
NOTICE: This message, as well as any attached document, containsinformation from Consolidated Graphics, Inc. that is confidential and/orprivileged, or may contain attorney work product. The information isintended only for the use of the addressee(s) named above. If you arenot the intended recipient, you are hereby notified that any review,use, dissemination, forwarding, printing, copying, disclosure, or thetaking of any action in reliance on the contents of this message or itsattachments is strictly prohibited, and may be unlawful. If you havereceived this message in error, please destroy all copies (in any form)of this message and its attachments, if any, without disclosing thecontents, and notify the sender immediately. Unintended transmissiondoes not constitute waiver of the attorney-client privilege or any otherprivilege. Unless expressly stated in this email, nothing in thismessage should be construed as a digital or electronic signature. Thankyou for your cooperation.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs anSSL certificate. We look at how SSL works, how it benefits your companyand how your customers can tell if a site is secure. You will find outhow to test, purchase, install and use a thawte Digital Certificate onyour Apache web server. Throughout, best practices for set-up arehighlighted to help you ensure efficient ongoing management of yourencryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



--
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

How do you conduct a password audit? wyfr1972 (May 13)
- Re: How do you conduct a password audit? Edd Burgess (May 13)
  - RE: How do you conduct a password audit? Matthew Reed (May 13)
    - Re: How do you conduct a password audit? S.k (May 16)
  - RE: How do you conduct a password audit? Chadha, Sachin (May 16)
    - RE: How do you conduct a password audit? Synja (May 16)
- RE: How do you conduct a password audit? Mike Mychalczuk (May 13)
- <Possible follow-ups>
- RE: How do you conduct a password audit? Julius K. (May 13)
  - RE: How do you conduct a password audit? Jeremi Gosney (May 13)
    - Re: How do you conduct a password audit? Vincent Maury (May 13)
    - RE: How do you conduct a password audit? Jeremi Gosney (May 16)
- Re: RE: How do you conduct a password audit? wyfr1972 (May 13)
  - Cyber Ark Hanson Coffie Kyeremeh (May 18)