RE: How do you conduct a password audit?

[Mike Mychalczuk <Michael.Mychalczuk () netiq com>]

What you are wanting to do makes sense, but I strongly urge you that before you even consider starting this that you 
have a highly documented plan that has signoff up in the stratosphere level of management.  Essentially you need a "get 
out of jail free" card because there is no way that I know of that you can do this that does not involve what 
fundamentally amounts to hacking and you do not want to go down this road, regardless of intention, without solid 
managerial backing.

The justification for this exercise can be summarized as that in absence of multi-factor authentication for every 
employee in the company a legitimate layer of defense of the user identity is the password and its complexity.  Since 
the organization provisions and deprovisions users to information and business services through the identity protecting 
the user's identity is a legitimate risk mitigation exercise.  Since a valid argument can also be made that while a 
vulnerability may be exploited that is technical in nature, ie. Cross-site scripting, at some point in the path there 
has to usually be at least one elevated userid / password that is compromised - thus the password strength audit is a 
legitimate risk mitigation technique.

I personally do not know of any "industry best practices" on this subject because in my experience this topic is very 
organizationally and geopolitically culturally sensitive.  However, having had the opportunity to discuss this subject 
around different parts of the world, here are some "commonalities" to consider

1. Have a documented policy approved and signed off on by an officer of the company.  Make sure the policy outlines the 
WHO, WHAT, WHEN.  Also make sure the policy clearly denotes the approved methodology.  I've seen there where the policy 
itself does not include the methodology but instead references an approved "methodology" document.  This allows the 
methodology to be modified independent of the approved policy.  Make sure this plan has been vetted with legal.  I have 
heard of cases where everyone thought they were good, legal had not been consulted and bad things happened as a result. 
 Make sure corporate counsel is on board.  In the ideal universe a member of their organization is your witness

2. Do not do it as a party of one.  Have a tester / evaluator and a witness.  Establish a chain of custody of the data. 
 One way I've heard of this being done is that the test is performed, the data collected and the test that contains the 
cracked passwords is destroyed so that all that remains is the quantifiable data and a means to notify an individual 
simply that "recently their password was audited, and that they failed the audit - please immediately reset your 
password following the stated corporate policies...."  You want to have a witness that you (or someone else) is not 
doing this with malicious intent or improperly handling the information.  

3. Typical reporting I've seen requested is: # of accounts tested, # of accounts compromised by audit project and then 
ultimately rolled up to department, BU / LOB, and ultimately organizational level.  This provides enough fidelity to 
identify where additional education efforts should be focused etc.

4. I have been told of these types of exercises, I've not personally done it this way, where individuals who had weak 
passwords automatically had their password resets via automation and private notification.  This requires a fair amount 
of scripting unless there is an Identity Management tool in place.  I thought it was a good idea because depending on 
the tool(s) being used where an argument can be made that the tester then has access to the compromised password, via 
secondary processes the compromised password is automatically changed to a password that meets the requirements and is 
provided only to the end user who is then required to change it again upon first login.


With regards to the methodology or "how" to conduct the audit.  You want the audit to represent the real threat.  Where 
you have multiple devices if your tester is not fluent in these platforms then they should seek counsel from SMEs as to 
how they would go about conducting the activity and what tools they would use etc.  This knowledge should then be 
codified into the "methodology" document referenced before and includes the tools to be used.  This is another reason 
why the methodology is separated from the policy so that it can be modified as to reflect current situational assessment

Phasing the work is something that is more in the eye of beholder then it is something that is universal.  I personally 
tend to like to go the following way, but others who engage in this far more than I do I would defer to

1. Non-user accounts by platform.  These would be Service / Application accounts where an end user is not a physical 
person.  Go by platform to keep the work manageable

2. Perimeter user accounts if identity stores are self-contained.  I.e. using WatchGuard internally repository for VPN 
access etc.

3. Divide Users by Departments / platforms.  Work at departmental level across users / platforms

4. Notify non-compliant users at end of each department sweep and provide adequate time for them to remediate

5. Rescan accounts that fail first audit

6. Provide regular and timely reporting of findings to management so that your management may communicate with their 
peers and others as appropriately in terms of findings and remediation

I hope this is helpful and was what you were looking for.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of wyfr1972 () gmail com
Sent: Friday, May 13, 2011 4:47 AM
To: security-basics () securityfocus com
Subject: How do you conduct a password audit?

Hi folks,

I have many questions on this.  I've learnt a lot from SecBasics, but now I have a few questions of my own.  I want to 
carry out a password audit for my company, but I'm not sure how to proceed.

Firstly, how do I broach the subject with management? Are there are standards/methodologies online that I can use to 
back up my request to management?

Then, how do you conduct the audit? We have a mix of devices Windows/Solaris/Unix/Checkpoint/Cisco/network 
printers/etc. 

How do I phase the work for best effect?  How do I present my findings?

Thanks for your advice and help in advance.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------