Home page logo

pen-test logo Penetration Testing mailing list archives

Re: password auditing
From: Anders Thulin <anders.thulin () sentor se>
Date: Wed, 18 Nov 2009 15:29:33 +0100

Derek Robson wrote:

we intend to just hit it with a 200K word dictionary, and see what we get.

  Be careful: don't fall into the all too common trap that any password that JtR
can crack must be a weak password.

  And don't fall into the other trap that any password that contains upper and
lower case letters, digits and spcial characters and is at least 8 characters long
necessarily is a strong password. (This is the 'password policy' fallacy).

  And don't assume that password strength alone is the entire truth.

  JtR, particularly in 'incremental' mode, will quickly crack a lot of passwords that
are quite strong to start with. (Provided you have primed JtR with suitable
character frequency statistics.)

  'Volvo-960', 'Saab 9-3' etc have been reasonably common in password cracking
projects I've been involved with.  Not to mention 'Summer-2010', and friends.
They pass most password policies, but they are still far too easy to guess.

  You are only interested in weak passwords -- not passwords that are strong enough.
What 'strong enough' is depends on other things -- such as if you have account lockout,
and if you have logs that show that a guessing game is active, and if those
logs are monitored by someone who will act correctly and timely.

  Password strength should, I believe, be measured in guesses: how many guesses are
required before you guess the password. Account Lockouts prevent you from guessing
too quickly, and particularly before the failed logins log is examined by someone who
takes counter action.

  The best metric I have been able to come up with for weak passwords is to
run JTR with a reasonable set of password statistics from known passwords.
If the password appears in the first N words that are produced from
'john --incremental --output' it's too weak.

  N should be the number of guesses someone can make in a real login-situation
if they start, say, on the last evening before Christmas holidays, and go on
until the counter-action can be taken, for instance the next time someone is
alerted to the fact that there have been too many failed guesses, or too many
account lockouts'.  In bad cases, they can go on until after New Year's Day before
the right people are back at work. If there is time to guess the password in such
'worst case' scenarios before anyone reacts, the password is too weak.

  Even minimal lockouting will help enormously in such situations.

Anders Thulin      anders.thulin () sentor se      070-757 36 10 / Intl. +46 70 757 36 10

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]