Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: password auditing
From: Ross Del Duca <delducra () mac com>
Date: Tue, 17 Nov 2009 07:56:50 -0800

This was routine, quarterly practice at a previous employer.  My solution to address the security implications was to 
modify Jack the Ripper to *NOT* display the discovered passwords.  I wasn't really interested in the passwords 
themselves - just some relative comparison of "crackability."  Thus my audits output was just a list of of usernames.  
With this list, password changes were enforced for the select users, and a follow up audit was performed only on this 
list.

Ross Del Duca
Help me ride to find a cure for diabetes!
Visit my page at http://main.diabetes.org/goto/RossDelDuca
Or my team's page at http://main.diabetes.org/goto/TeamRedSacramento

 
On Monday, November 16, 2009, at 10:43PM, "Derek Robson" <robsonde () gmail com> wrote:
I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault