Penetration Testing mailing list archives
Re: password auditing
From: Ross Del Duca <delducra () mac com>
Date: Tue, 17 Nov 2009 07:56:50 -0800
This was routine, quarterly practice at a previous employer. My solution to address the security implications was to modify Jack the Ripper to *NOT* display the discovered passwords. I wasn't really interested in the passwords themselves - just some relative comparison of "crackability." Thus my audits output was just a list of of usernames. With this list, password changes were enforced for the select users, and a follow up audit was performed only on this list. Ross Del Duca Help me ride to find a cure for diabetes! Visit my page at http://main.diabetes.org/goto/RossDelDuca Or my team's page at http://main.diabetes.org/goto/TeamRedSacramento On Monday, November 16, 2009, at 10:43PM, "Derek Robson" <robsonde () gmail com> wrote:
I have been asked by my manager to setup a password audit. I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password. we intend to just hit it with a 200K word dictionary, and see what we get. the next step is run this every month and email users that have weak passwords asking them to "please change your password" the question is about the security we setup around the box we run JtR on and the data we find. should this be done on a non-networked box? could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for? any other tips? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: password auditing, (continued)
- RE: password auditing McGhee, Eddie (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 17)
- RE: password auditing Harris, Michael C. (Nov 17)
- Re: password auditing Tracy Reed (Nov 17)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing McGhee, Eddie (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)