Penetration Testing mailing list archives
Re: password auditing
From: "Kevin L. Shaw, CISSP, GCIH" <kshaw () eeenterprisesinc com>
Date: Tue, 17 Nov 2009 09:53:55 -0500
Seven trusted employees is eight too many in my opinion - with material like this you should not even trust yourself; and I always have an observer or witness when I am dealing with a sensitive activity like this.
I do not know of any of my customers that have ever used a networked machine to perform password cracking.
I know one site that has an bi-annual requirement to perform password audits per business unit; the most recent prior file is kept in a safe and each is kept in a separate locked container in the safe and the particular machine they use for this work uses multi-factor authentication. Heck the log files from the password cracking session are specially kept as well; and they run wireshark to prove the computer isn't networked. I am so proud of them.
Regards, Kevin ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- password auditing Derek Robson (Nov 17)
- Re: password auditing James Bensley (Nov 17)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)