Penetration Testing mailing list archives
RE: password auditing
From: "Bakshi, Narinder (FIN)" <Narinder.Bakshi () ontario ca>
Date: Tue, 17 Nov 2009 10:29:36 -0500
Derek, It seems you management want to improve password security and you may want to suggest a two track approach to them: Track 1 * Review company password policy and procedures. Update things such as force password change 30 or 90 days, password complexity, removal of terminated employee passwords, disabling of inactive accounts not used for X days, etc. * Work with you communications staff to send out a communication to all staff highlighting key points from the company password policy and that it would be strictly enforced. Additionally, provide link to the complete policy. * Start the enforcement of the password policy by completing procedures to identify variance. Track 2 * Get written approval [signoff] from management including what is in the scope and what is our of the scope and how you plan to do it. * Pull a copy of the sam or password, etc file and use the software of your choice [at least 2 different cracking tools] to identify weak passwords on a stand alone hardened computer & this computer should not be used for any other purpose. * Work with the management to communication results with the effected staff and provide assistance to them if required. [expect and be prepared for resistance from unexpected individuals as human beings don't like change] Repeat both Tracks on a periodical basis - say every six months. All the best Narinder Kumar Bakshi CGA, CISA, CFE Senior Information Technology Audit Specialist -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Derek Robson Sent: Tuesday, November 17, 2009 1:43 AM To: pen-test () securityfocus com Subject: password auditing I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)