Re: password auditing

["Kevin L. Shaw, CISSP, GCIH" <kshaw () eeenterprisesinc com>]

Derek:

"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that.  I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you *must not* let it be a two hour run that is unrealistic.

First, don't use this "200K" dictionary you mentioned.  You are looking
for default passwords?  Find and/or create a list of default passwords
for the software (and hardware I know there are some interesting
"legacy" electronics out there) you have in place at your organization.
Use this; and run all the usernames and variations of usernames as part
of the attack.  I might even recommend finding the names of people's
children and pets as easily as you can or over the internet - Facebook,
etc. - just like a regular penetration test/attack -and putting these in
the dictionary.  If it is publicly accessible it is game.

Second, run this for a week.  An attack of this sort will last more than
two hours.  Running the option to hide the cracked passwords is a good
idea.  You will probably not need to demonstrate 'password z' was
cracked in x minutes; I'm assuming they just want a number, so leave the
laptop physically locked up for those few days and regularly examine the
status.  I would be inclined in this situation to report that status to
management at least once daily in case, after dozens of passwords are
easily cracked, they decide to start putting a sound policy in place
right away.

Sorry this is long winded I'm up a lot longer than usual.  Good luck
with this task it seems like you have a little support from some people
and some hostility from others (two hours??).

Kev

Derek Robson wrote:
> thanks to everyone for such a big responce.
>
> many of you have pointed me to questions of our policy...
> many of you have talked about haveing password quality inforced when
> they are set....
>
>
> we have no real policy around passwords, we have no standards, we do
> no quality testing.
> we dont force users to change passwords, some have had the same
> password for many years.
> some still have the default password.
>
>
> this project is to get some real data about our passwords, so we can
> help managers get some policy and some standards in place.
>
>
> at this stage we are looking at doing a one time cracking session.
> this will be done on a non-networked laptop.
> we will only crack for an hour or two.
> the only results we will take off the laptop is a percentage of users
> who's passwords we could crack.
>
> this will only be done after I have the OK from my manager, the two
> managers above him and the head of IT.
>
>
>
> thanks for the good input it has given me lots to think about.



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------