Re: password auditing

[Derek Robson <robsonde () gmail com>]

thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....


we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.


this project is to get some real data about our passwords, so we can
help managers get some policy and some standards in place.


at this stage we are looking at doing a one time cracking session.
this will be done on a non-networked laptop.
we will only crack for an hour or two.
the only results we will take off the laptop is a percentage of users
who's passwords we could crack.

this will only be done after I have the OK from my manager, the two
managers above him and the head of IT.



thanks for the good input it has given me lots to think about.







On 11/18/09, James Bensley <jwbensley () gmail com> wrote:
> Can't you implement password complexity requirements of some sort when
>
> users set their passwords? It would save hours and hours of work and
>  the massive potential security risk you would have on your hands if
>  you did this on a network machine. Also it then becomes a bit of a set
>  and forget principle, not need for continual checking?
>
>  2009/11/17 Derek Robson <robsonde () gmail com>:
>
> > I have been asked by my manager to setup a password audit.
>  >
>  > I plan on using john-the-ripper (unix passwords)
>  > the basic idea is that we want a list of users that have weak
>  > passwords, gut feeling is that a large number of staff have an old
>  > default password.
>  >
>  > we intend to just hit it with a 200K word dictionary, and see what we get.
>  >
>  >
>  > the next step is run this every month and email users that have weak
>  > passwords asking them to "please change your password"
>  >
>  >
>  > the question is about the security we setup around the box we run JtR
>  > on and the data we find.
>  > should this be done on a non-networked box?
>  > could this be done on an secure networked box, one that only a few
>  > (about 7) trusted staff have login for?
>  >
>  > any other tips?
>  >
>
> > ------------------------------------------------------------------------
>  > This list is sponsored by: Information Assurance Certification Review Board
>  >
>  > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> CPT and CEPT certs require a full practical examination in order to become certified.
>  >
>  > http://www.iacertification.org
>  > ------------------------------------------------------------------------
>  >
>  >
>
>
>
>
> --
>  Regards,
>  James ;)
>
>  Pablo Picasso  - "Computers are useless. They can only give you
>  answers." - http://www.brainyquote.com/quotes/authors/p/pablo_picasso.html

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------