Penetration Testing mailing list archives
Re: password auditing
From: DaKahuna <da.kahuna () gmail com>
Date: Thu, 19 Nov 2009 20:25:00 -0500
On Nov 18, 2009, at 12:33 AM, JoePete wrote:
On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote:before we do this we want to get an overview of just how ugly things are. we want to get real facts about how many users are using the default password.A few observations: One of the big reasons for password complexity is the ability to crack them offline. Essentially, password policy reflects more on the vulnerability of poorly secured systems (i.e. the ability to get at the password store) than the feeble-mindedness of employees. If your Internet facing services (email, intranet, VPN, etc) are a concern, your best protection is not password complexity but account lockout. Without account lockout, it is literally just a matter of time until even a strong password is broken. Apparently complex passwords still are very guessable or phishable. In my experience, I am not seeing people guess passwords. Why go to the effort? It is far easier to phish it or retrieve it through some other channel - crack their yahoo email, and go to the folder named "important" or "passwords" where they store all this stuff. And you know they use the same password for everything. Lastly, the measure of complexity is misleading. Take a very popular email provider that now requires 8 characters for a password - "8characters" registers as "strong" password.
You make some valid points but I will tell you why I spend 48 hours approximately every six months cracking passwords on our 43,000 user + Active Directory domain - verification of compliance with password policy. It does not good to have a policy that can not be 100% technically enforced if you don't audit to ensure user's are compliant. As long as have a complex password is a requirement and Active Directory does not know that Password1 (which meets our three out of four requirement) is a poor password the only safe way to go is to crack the password and inform the users that are not following the rules to get their act together. I agree 100% that phishing is a bigger threat to security than weak complex passwords. However, the users most susceptible to Phishing are not the ones with advanced privileges. So once a bad guy gets in using phishing, they escalated privileges any way they can, to include password cracking. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: password auditing, (continued)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)