Security Basics mailing list archives

Re: How do you conduct a password audit?

From: Edd Burgess <edd.burgess () cantab net>
Date: Fri, 13 May 2011 16:13:51 +0100

I have seen an automatic audit setup on a linux server before as a cronjob; just running john the ripper against the shadow file once a weekand storing any weak results so the sysadmin can contact the relative users.

In other words, if you are worried about broaching the subject withmanagement, try to crack the passwords yourself - In my experience,non-techs are more convinced by actual evidence; 'I managed to crackyour password in 3mins' than any amount of advice/information you canthrow at them. I had to actually ARP poison my boss and sniff an FTPpassword to convince him to let me secure our office wifi!



On 13/05/2011 12:47, wyfr1972 () gmail com wrote:

Hi folks,

I have many questions on this.  I've learnt a lot from SecBasics, but now I have a few questions of my own.  I want to carry 
out a password audit for my company, but I'm not sure how to proceed.

Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to 
back up my request to management?

Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network printers/etc.

How do I phase the work for best effect?  How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

How do you conduct a password audit? wyfr1972 (May 13)
- Re: How do you conduct a password audit? Edd Burgess (May 13)
  - RE: How do you conduct a password audit? Matthew Reed (May 13)
    - Re: How do you conduct a password audit? S.k (May 16)
  - RE: How do you conduct a password audit? Chadha, Sachin (May 16)
    - RE: How do you conduct a password audit? Synja (May 16)
- RE: How do you conduct a password audit? Mike Mychalczuk (May 13)
- <Possible follow-ups>
- RE: How do you conduct a password audit? Julius K. (May 13)
  - RE: How do you conduct a password audit? Jeremi Gosney (May 13)
    - Re: How do you conduct a password audit? Vincent Maury (May 13)
    - RE: How do you conduct a password audit? Jeremi Gosney (May 16)
- Re: RE: How do you conduct a password audit? wyfr1972 (May 13)

(Thread continues...)