Penetration Testing mailing list archives
Re: password auditing
From: Anders Thulin <anders.thulin () sentor se>
Date: Wed, 18 Nov 2009 15:29:33 +0100
Derek Robson wrote:
we intend to just hit it with a 200K word dictionary, and see what we get.
Be careful: don't fall into the all too common trap that any password that JtR can crack must be a weak password. And don't fall into the other trap that any password that contains upper and lower case letters, digits and spcial characters and is at least 8 characters long necessarily is a strong password. (This is the 'password policy' fallacy). And don't assume that password strength alone is the entire truth. JtR, particularly in 'incremental' mode, will quickly crack a lot of passwords that are quite strong to start with. (Provided you have primed JtR with suitable character frequency statistics.) 'Volvo-960', 'Saab 9-3' etc have been reasonably common in password cracking projects I've been involved with. Not to mention 'Summer-2010', and friends. They pass most password policies, but they are still far too easy to guess. You are only interested in weak passwords -- not passwords that are strong enough. What 'strong enough' is depends on other things -- such as if you have account lockout, and if you have logs that show that a guessing game is active, and if those logs are monitored by someone who will act correctly and timely. Password strength should, I believe, be measured in guesses: how many guesses are required before you guess the password. Account Lockouts prevent you from guessing too quickly, and particularly before the failed logins log is examined by someone who takes counter action. The best metric I have been able to come up with for weak passwords is to run JTR with a reasonable set of password statistics from known passwords. If the password appears in the first N words that are produced from 'john --incremental --output' it's too weak. N should be the number of guesses someone can make in a real login-situation if they start, say, on the last evening before Christmas holidays, and go on until the counter-action can be taken, for instance the next time someone is alerted to the fact that there have been too many failed guesses, or too many account lockouts'. In bad cases, they can go on until after New Year's Day before the right people are back at work. If there is time to guess the password in such 'worst case' scenarios before anyone reacts, the password is too weak. Even minimal lockouting will help enormously in such situations. -- Anders Thulin anders.thulin () sentor se 070-757 36 10 / Intl. +46 70 757 36 10 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: password auditing, (continued)
- RE: password auditing Bakshi, Narinder (FIN) (Nov 17)
- Re: password auditing Meta Junkie (Nov 17)
- Re: password auditing Ross Del Duca (Nov 17)
- Re: password auditing Haris Pilton (Nov 17)
- Re: password auditing R. DuFresne (Nov 17)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing JoePete (Nov 19)
- Re: password auditing DaKahuna (Nov 23)
- Re: password auditing Derek Robson (Nov 17)
- Message not available
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)
- Re: password auditing Derek Robson (Nov 17)
- Re: password auditing Anders Thulin (Nov 19)