Re: password auditing

[JoePete <joepete () joepete com>]

On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote: 
> before we do this we want to get an overview of just how ugly things are.
> we want to get real facts about how many users are using the default password.

A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account lockout, it is literally just a matter of time
until even a strong password is broken.

Apparently complex passwords still are very guessable or phishable. In
my experience, I am not seeing people guess passwords. Why go to the
effort? It is far easier to phish it or retrieve it through some other
channel - crack their yahoo email, and go to the folder named
"important" or "passwords" where they store all this stuff. And you know
they use the same password for everything.

Lastly, the measure of complexity is misleading. Take a very popular
email provider that now requires 8 characters for a password -
"8characters" registers as "strong" password.

--
JoePete


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------