Re: password auditing

[Derek Robson <robsonde () gmail com>]

as per my last post....

we have no policy for passwords,  we plan on getting some policy and
inforcing it.
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

in many of the meetings we have un-educated managers quoting "facts"
that they cant know until we do this project.

many of the IT staff are keen to get good password policy in palce and
then make a system that inforces that policy, but some of the upper
managers dont see the problem as being real.






On 11/18/09, R. DuFresne <dufresne () sysinfo com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>
>
>
>  Yes, this box needs to be locked down as tightly as possible.  Afterall
> that data it contains is delicate to say the least.
>
>  Secondly though, why do passwd's in this env not expire?  And why are there
> now requirements to force users to choose secure passwd's in the first
> place?
>
>
>  Thanks,
>
>  Ron DuFresne
>
>
>
>
>  On Tue, 17 Nov 2009, Derek Robson wrote:
>
>
> > I have been asked by my manager to setup a password audit.
> >
> > I plan on using john-the-ripper (unix passwords)
> > the basic idea is that we want a list of users that have weak
> > passwords, gut feeling is that a large number of staff have an old
> > default password.
> >
> > we intend to just hit it with a 200K word dictionary, and see what we get.
> >
> >
> > the next step is run this every month and email users that have weak
> > passwords asking them to "please change your password"
> >
> >
> > the question is about the security we setup around the box we run JtR
> > on and the data we find.
> > should this be done on a non-networked box?
> > could this be done on an secure networked box, one that only a few
> > (about 7) trusted staff have login for?
> >
> > any other tips?
> ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review
> Board
> > Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
> > http://www.iacertification.org
> ------------------------------------------------------------------------
> >
>
>  - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>  Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
>  These things happened. They were glorious and they changed the world...,
>  and then we fucked up the endgame.    --Charlie Wilson
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFLAxh1st+vzJSwZikRAi7KAKCw06eCnb5kZC0fE/hTekeObPlXcACgxpKP
>  q3fENOYf7+KHd+u2ABcQ4N4=
>  =ES7h
>  -----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------