Home page logo

pen-test logo Penetration Testing mailing list archives

Re: password auditing
From: "Kevin L. Shaw, CISSP, GCIH" <kshaw () eeenterprisesinc com>
Date: Tue, 17 Nov 2009 09:53:55 -0500

Seven trusted employees is eight too many in my opinion - with material like this you should not even trust yourself; and I always have an observer or witness when I am dealing with a sensitive activity like this.

I do not know of any of my customers that have ever used a networked machine to perform password cracking.

I know one site that has an bi-annual requirement to perform password audits per business unit; the most recent prior file is kept in a safe and each is kept in a separate locked container in the safe and the particular machine they use for this work uses multi-factor authentication. Heck the log files from the password cracking session are specially kept as well; and they run wireshark to prove the computer isn't networked. I am so proud of them.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]