Penetration Testing mailing list archives
Re: password auditing
From: JoePete <joepete () joepete com>
Date: Wed, 18 Nov 2009 00:33:58 -0500
On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote:
before we do this we want to get an overview of just how ugly things are. we want to get real facts about how many users are using the default password.
A few observations: One of the big reasons for password complexity is the ability to crack them offline. Essentially, password policy reflects more on the vulnerability of poorly secured systems (i.e. the ability to get at the password store) than the feeble-mindedness of employees. If your Internet facing services (email, intranet, VPN, etc) are a concern, your best protection is not password complexity but account lockout. Without account lockout, it is literally just a matter of time until even a strong password is broken. Apparently complex passwords still are very guessable or phishable. In my experience, I am not seeing people guess passwords. Why go to the effort? It is far easier to phish it or retrieve it through some other channel - crack their yahoo email, and go to the folder named "important" or "passwords" where they store all this stuff. And you know they use the same password for everything. Lastly, the measure of complexity is misleading. Take a very popular email provider that now requires 8 characters for a password - "8characters" registers as "strong" password. -- JoePete ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: password auditing, (continued)
- RE: password auditing John Perea (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- Re: password auditing Robert Portvliet (Nov 17)
- Message not available
- RE: password auditing John Perea (Nov 17)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)