Re: password auditing

[DaKahuna <da.kahuna () gmail com>]

On Nov 18, 2009, at 12:33 AM, JoePete wrote:

> On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote: 
> > before we do this we want to get an overview of just how ugly things are.
> > we want to get real facts about how many users are using the default password.
>
> A few observations:
>
> One of the big reasons for password complexity is the ability to crack
> them offline. Essentially, password policy reflects more on the
> vulnerability of poorly secured systems (i.e. the ability to get at the
> password store) than the feeble-mindedness of employees.
>
> If your Internet facing services (email, intranet, VPN, etc) are a
> concern, your best protection is not password complexity but account
> lockout. Without account lockout, it is literally just a matter of time
> until even a strong password is broken.
>
> Apparently complex passwords still are very guessable or phishable. In
> my experience, I am not seeing people guess passwords. Why go to the
> effort? It is far easier to phish it or retrieve it through some other
> channel - crack their yahoo email, and go to the folder named
> "important" or "passwords" where they store all this stuff. And you know
> they use the same password for everything.
>
> Lastly, the measure of complexity is misleading. Take a very popular
> email provider that now requires 8 characters for a password -
> "8characters" registers as "strong" password.

 You make some valid points but I will tell you why I spend 48 hours approximately every six months cracking passwords 
on our 43,000 user + Active Directory domain - verification of compliance with password policy.  It does not good to 
have a policy that can not be 100% technically enforced if you don't audit to ensure user's are compliant.  As long as 
have a complex password is a requirement and Active Directory does not know that Password1 (which meets our three out 
of four requirement) is a poor password the only safe way to go is to crack the password and inform the users that are 
not following the rules to get their act together.

 I agree 100% that phishing is a bigger threat to security than weak complex passwords.  However, the users most 
susceptible to Phishing are not the ones with advanced privileges. So once a bad guy gets in using phishing, they 
escalated privileges any way they can, to include password cracking.




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------