Re: Password Cracking

["Steve" <securityfocus () delahunty com>]

An interesting thing we learned during a recent vulnerability assessment is
that even if you have a good password hardening approach and secure that
password store your folks might use that same password on other systems that
are not as secure.  Consider you are running hardened passwords for NT, and
SAM is encrypted, good right?  Well some of your people might use their same
passwords they use for NT on other less secure systems, for instance using
them for a particular FTP site and storing that in the FTP client
configuration.  So your hacker gets their password that way and can easily
likely figure out their network login.  Bingo, they are in.

This is something that needs to be addressed by policy and technology.
Informing your users not to use the same password on different systems but
also providing them some form of single sign-on or authentication.

I am calling this vulnerability Strong Passwords but Weak Systems.

----- Original Message ----- 
From: "Michael Shirk" <shirkdog () cryptomail org>
To: <security-basics () securityfocus com>
Sent: Friday, September 10, 2004 8:32 AM
Subject: RE: Password Cracking


> LC and John are password cracking tools.
> What is a password cracking tool?
> Rather amazingly, computers don't store passwords*.
Actually, some computers do store passwords.
A special thank you to users who save their passwords in a file unencrypted.
:-)
Shirkdog
-----Original Message-----
From: szucker () sst-pr-1 com [mailto:szucker () sst-pr-1 com]
Sent: Thursday, September 09, 2004 1:23 AM
To: PrasannaM () catsglobal co in; security-basics () securityfocus com
Cc: dcoletta12 () hotmail com
Subject: RE: Password Cracking; Re:
Importance: Low


!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.
http://www.cryptomail.org/   Ensure your right to privacy.
Traditional email messages are not secure.  They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------