RE: How do you conduct a password audit?

[Matthew Reed <mreed () cgx com>]

Speaking from a safe practice perspective:

Before ANY passwords are cracked, you should have specific permission from the highest possible source of management. 
This permission should be documented in writing.

Once permission has been granted, any passwords that have been cracked should be set for automatic password change by 
the user. If this is not in place there can be issues with repudiation of any security incidents. i.e. It has happened 
in the past that users who violated company policies/legal statutes were able to avoid sanctions by claiming that the 
integrity of their account was compromised by password audits.

These 2 practices will help anyone auditing passwords avoid potential issues.


MR

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Edd Burgess
Sent: Friday, May 13, 2011 10:14 AM
To: security-basics () securityfocus com
Subject: Re: How do you conduct a password audit?

I have seen an automatic audit setup on a linux server before as a cron
job; just running john the ripper against the shadow file once a week
and storing any weak results so the sysadmin can contact the relative users.

In other words, if you are worried about broaching the subject with
management, try to crack the passwords yourself - In my experience,
non-techs are more convinced by actual evidence; 'I managed to crack
your password in 3mins' than any amount of advice/information you can
throw at them. I had to actually ARP poison my boss and sniff an FTP
password to convince him to let me secure our office wifi!


On 13/05/2011 12:47, wyfr1972 () gmail com wrote:
> Hi folks,
>
> I have many questions on this.  I've learnt a lot from SecBasics, but now I have a few questions of my own.  I want 
> to carry out a password audit for my company, but I'm not sure how to proceed.
>
> Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to 
> back up my request to management?
>
> Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network 
> printers/etc.
>
> How do I phase the work for best effect?  How do I present my findings?
>
> Thanks for your advice and help in advance.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


NOTICE:  This message, as well as any attached document, contains information from Consolidated Graphics, Inc. that is 
confidential and/or privileged, or may contain attorney work product.  The information is intended only for the use of 
the addressee(s) named above.  If you are not the intended recipient, you are hereby notified that any review, use, 
dissemination, forwarding, printing, copying, disclosure, or the taking of any action in reliance on the contents of 
this message or its attachments is strictly prohibited, and may be unlawful.  If you have received this message in 
error, please destroy all copies (in any form) of this message and its attachments, if any, without disclosing the 
contents, and notify the sender immediately.  Unintended transmission does not constitute waiver of the attorney-client 
privilege or any other privilege.  Unless expressly stated in this email, nothing in this message should be construed 
as a digital or electronic signature.  Thank you for your cooperation.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------