Penetration Testing mailing list archives
Re: password auditing
From: Derek Robson <robsonde () gmail com>
Date: Wed, 18 Nov 2009 10:08:57 +1300
thanks to everyone for such a big responce. many of you have pointed me to questions of our policy... many of you have talked about haveing password quality inforced when they are set.... we have no real policy around passwords, we have no standards, we do no quality testing. we dont force users to change passwords, some have had the same password for many years. some still have the default password. this project is to get some real data about our passwords, so we can help managers get some policy and some standards in place. at this stage we are looking at doing a one time cracking session. this will be done on a non-networked laptop. we will only crack for an hour or two. the only results we will take off the laptop is a percentage of users who's passwords we could crack. this will only be done after I have the OK from my manager, the two managers above him and the head of IT. thanks for the good input it has given me lots to think about. On 11/18/09, James Bensley <jwbensley () gmail com> wrote:
Can't you implement password complexity requirements of some sort when users set their passwords? It would save hours and hours of work and the massive potential security risk you would have on your hands if you did this on a network machine. Also it then becomes a bit of a set and forget principle, not need for continual checking? 2009/11/17 Derek Robson <robsonde () gmail com>:I have been asked by my manager to setup a password audit.> > I plan on using john-the-ripper (unix passwords) > the basic idea is that we want a list of users that have weak > passwords, gut feeling is that a large number of staff have an old > default password. > > we intend to just hit it with a 200K word dictionary, and see what we get. > > > the next step is run this every month and email users that have weak > passwords asking them to "please change your password" > > > the question is about the security we setup around the box we run JtR > on and the data we find. > should this be done on a non-networked box? > could this be done on an secure networked box, one that only a few > (about 7) trusted staff have login for? > > any other tips? >------------------------------------------------------------------------> This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > > -- Regards, James ;) Pablo Picasso - "Computers are useless. They can only give you answers." - http://www.brainyquote.com/quotes/authors/p/pablo_picasso.html
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: password auditing, (continued)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)