RE: password auditing

["Bakshi, Narinder (FIN)" <Narinder.Bakshi () ontario ca>]

Derek, 

It seems you management want to improve password security and you may
want to suggest a two track approach to them:

Track 1
*       Review company password policy and procedures. Update things
such as force password change 30 or 90 days, password complexity,
removal of terminated employee passwords, disabling of inactive accounts
not used for X days, etc.
*       Work with you communications staff to send out a communication
to all staff highlighting key points from the company password policy
and that it would be strictly enforced. Additionally, provide link to
the complete policy.
*       Start the enforcement of the password policy by completing
procedures to identify variance.

Track 2
*       Get written approval [signoff] from management including what is
in the scope and what is our of the scope and how you plan to do it.
*       Pull a copy of the sam or password, etc file and use the
software of your choice [at least 2 different cracking tools] to
identify weak passwords on a stand alone hardened computer & this
computer should not be used for any other purpose.
*       Work with the management to communication results with the
effected staff and provide assistance to them if required. [expect and
be prepared for resistance from unexpected individuals as human beings
don't like change]

Repeat both Tracks on a periodical basis - say every six months.

All the best

Narinder Kumar Bakshi CGA, CISA, CFE
Senior Information Technology Audit Specialist

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Derek Robson
Sent: Tuesday, November 17, 2009 1:43 AM
To: pen-test () securityfocus com
Subject: password auditing

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords)
the basic idea is that we want a list of users that have weak
passwords, gut feeling is that a large number of staff have an old
default password.

we intend to just hit it with a 200K word dictionary, and see what we
get.


the next step is run this every month and email users that have weak
passwords asking them to "please change your password"


the question is about the security we setup around the box we run JtR
on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few
(about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------