Re: password auditing

[Haris Pilton <harispilton37 () gmail com>]

sounds like a fun project. I would Protect it like you currently
protect the password files you are going to brute.

On Tuesday, November 17, 2009, Derek Robson <robsonde () gmail com> wrote:
> I have been asked by my manager to setup a password audit.
>
> I plan on using john-the-ripper (unix passwords)
> the basic idea is that we want a list of users that have weak
> passwords, gut feeling is that a large number of staff have an old
> default password.
>
> we intend to just hit it with a 200K word dictionary, and see what we get.
>
>
> the next step is run this every month and email users that have weak
> passwords asking them to "please change your password"
>
>
> the question is about the security we setup around the box we run JtR
> on and the data we find.
> should this be done on a non-networked box?
> could this be done on an secure networked box, one that only a few
> (about 7) trusted staff have login for?
>
> any other tips?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------