Penetration Testing mailing list archives

Re: password auditing


From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 17 Nov 2009 16:41:07 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Yes, this box needs to be locked down as tightly as possible. Afterall that data it contains is delicate to say the least.

Secondly though, why do passwd's in this env not expire? And why are there now requirements to force users to choose secure passwd's in the first place?


Thanks,

Ron DuFresne



On Tue, 17 Nov 2009, Derek Robson wrote:

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame.    --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFLAxh1st+vzJSwZikRAi7KAKCw06eCnb5kZC0fE/hTekeObPlXcACgxpKP
q3fENOYf7+KHd+u2ABcQ4N4=
=ES7h
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------


Current thread: