Penetration Testing mailing list archives

RE: Password Auditing

From: "Ken Kousky" <kkousky () ip3inc com>
Date: Sat, 5 May 2007 08:04:56 -0400

Isn't a weak password any password that your users don't know. That is, if
it's something you give them with lots of strange characters it's NOT
something they know making it a WEAK password. 

IT Security people still have this completely backwards. All the garbage
about password auditors assure you of a password that your users don't know,
forcing them to write it down and creating a WEAKER system than if you did
nothing.

Please stop breaking the authentication model and work on second factors
leaving one factor, as simple as a pin, as a factor your users know!

KWK

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Manuel Arostegui Ramirez
Sent: Friday, May 04, 2007 4:39 PM
To: pen-test () securityfocus com
Subject: Re: Password Auditing

El Viernes, 4 de Mayo de 2007 19:50, Mike Gibson escribió:

Can anyone recommend a good password auditing tool. Basically I want
to identify weak passwords on my servers (Windows, Linux, Unix).
Ideally this would be done by a tool that could remotely fetch the
local password database and then attempt to brute force the passwords
and prepare a report in a central location.

Any suggestions?


Try Babel Enterprise:
http://babel.sf.net

-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

Password Auditing Mike Gibson (May 04)
- RE: Password Auditing Beauchamp, Brian (May 04)
- RE: Password Auditing John Babio (May 04)
- Re: Password Auditing Manuel Arostegui Ramirez (May 04)
  - RE: Password Auditing Ken Kousky (May 05)
- Re: Password Auditing kevin (May 04)
- Re: Password Auditing Nico Golde (May 04)
- Re: Password Auditing crazy frog crazy frog (May 06)
  - Re: Password Auditing rajat swarup (May 07)
- Re: Password Auditing Christine Kronberg (May 07)
- <Possible follow-ups>
- RE: Password Auditing Brungardt, Jill (May 04)
- Re: Password Auditing kevin.horvath (May 07)