Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password auditing

From: Meta Junkie <metajunkie () gmail com>
Date: Tue, 17 Nov 2009 10:56:48 -0500
Your whole process needs to be examined, not just the security of the
box.  For example, you plan to email something to the offenders.  That
email, unless you encrypt it, will be sent plain-text on the wire.
Anyone able to grab traffic will be able to grab your email.  Be
careful what you put in that email.  For example, I think the worst
thing you could put would be the cracked password.  But, consider how
easy it was for you to crack that person's password.  Just identifying
them as having a weak password can give a disgruntled employee the
edge they need.

I would also consider addressing the root of the problem rather than
the symptom.  For example, a poorly constructed password is usually
due to ignorance or apathy.  An education program to teach people how
easy it is to create a unique and complex password would go a long
way.  I personally teach the "phrase" method that has been around
forever.  The ubiquitous example is:  "For score and seven years
ago..."  being translated into "4#&7ya...", etc.  The required length
of the password needs to go into the training examples.  People should
be trained to come up with phrases from their personal lives that they
will not forget, but that will yield complex and lengthy
pass-phrase-generated combinations of alpha-numerics and special
characters.

A well thought out education program will go well to change the
culture and inform the work-force.

Good luck!

Ken Walling, CISSP, GREM

aka Metajunkie

PS
If you want an outside consultant to assist in creating a training
program, let me know.

On Tue, Nov 17, 2009 at 1:43 AM, Derek Robson <robsonde () gmail com> wrote:

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------






-- 
010101010101010101010101010101010
010101010101010101010101010101010
0101010101 Meta Junkie 101010101010
010101010101010101010101010101010
010101010101010101010101010100101

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: