Penetration Testing mailing list archives
Re: password auditing
From: Derek Robson <robsonde () gmail com>
Date: Wed, 18 Nov 2009 10:55:01 +1300
as per my last post.... we have no policy for passwords, we plan on getting some policy and inforcing it. before we do this we want to get an overview of just how ugly things are. we want to get real facts about how many users are using the default password. in many of the meetings we have un-educated managers quoting "facts" that they cant know until we do this project. many of the IT staff are keen to get good password policy in palce and then make a system that inforces that policy, but some of the upper managers dont see the problem as being real. On 11/18/09, R. DuFresne <dufresne () sysinfo com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, this box needs to be locked down as tightly as possible. Afterall that data it contains is delicate to say the least. Secondly though, why do passwd's in this env not expire? And why are there now requirements to force users to choose secure passwd's in the first place? Thanks, Ron DuFresne On Tue, 17 Nov 2009, Derek Robson wrote:I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips?------------------------------------------------------------------------This list is sponsored by: Information Assurance Certification ReviewBoardProve to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org------------------------------------------------------------------------- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 These things happened. They were glorious and they changed the world..., and then we fucked up the endgame. --Charlie Wilson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFLAxh1st+vzJSwZikRAi7KAKCw06eCnb5kZC0fE/hTekeObPlXcACgxpKP q3fENOYf7+KHd+u2ABcQ4N4= =ES7h -----END PGP SIGNATURE-----
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: password auditing, (continued)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)