RE: Highlighting weak password dangers

["Barrett, Will" <wbarrett () pronetsol com>]

"There is no reason for using brute-force for policy compliance."

Why not?  An intruder might.  Why on earth would you think you are safe
if you are not willing or able to do the same?  


Cheers,
 
Will Barrett

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Kenton Smith
Sent: Wednesday, January 24, 2007 4:40 PM
To: WALI; security-basics () securityfocus com
Subject: Re: Highlighting weak password dangers

Don't use something that actually tries to login to the account, that's
counter productive. Use something like John the Ripper that uses the SAM
database. Use a dictionary or hybrid attack and fill your custom
dictionary with all the passwords that aren't allowed based on your
password policy. You do have a password policy, right?

Searching for weak passwords should take no time at all. There is no
reason for using brute-force for policy compliance. As soon as you start
brute-forcing you are trying to hack user accounts and I suspect that
would be against your security policy.

Kenton

----- Original Message ----
From: WALI <hkhasgiwale () gmail com>
To: security-basics () securityfocus com
Sent: Wednesday, January 24, 2007 10:15:46 AM
Subject: Highlighting weak password dangers



I want to highlight the danger of using weak passwords on servers and
users admin desktops. I have tested TSgrinder with a basic dictionary
Brute Force to access Remote Desktop exploit on both servers and
desktops. The problem here is that when connected to domain, the Account
Lockout feature disables the account quite soon. I can only show the
exploit on machines not connected to the domain where Domain Security
policy doesn't flow down.

What are other interesting and intriguing ways to present this problem?
I also need a system to do Passwords Audit on my domain and make then
'secure password' policy compliance.





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

“This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.”

 

This email has been scanned by the MessageLabs Email Security System.

For more information please visit http://www.messagelabs.com/email