Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password auditing

From: "Kevin L. Shaw, CISSP, GCIH" <kshaw () eeenterprisesinc com>
Date: Tue, 17 Nov 2009 09:53:55 -0500
Seven trusted employees is eight too many in my opinion - with material like this you should not even trust yourself; and I always have an observer or witness when I am dealing with a sensitive activity like this.
I do not know of any of my customers that have ever used a networked machine to perform password cracking.
I know one site that has an bi-annual requirement to perform password audits per business unit; the most recent prior file is kept in a safe and each is kept in a separate locked container in the safe and the particular machine they use for this work uses multi-factor authentication. Heck the log files from the password cracking session are specially kept as well; and they run wireshark to prove the computer isn't networked. I am so proud of them. 

Regards,
Kevin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 
http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: