[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    [Fwd: Re: password auditing]
From:       Per Thorsheim <putilutt () online ! no>
Date:       2009-11-17 15:05:36
Message-ID: 4B02BBC0.50206 () online ! no
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Don't do it before you are prepared to handle the results!

1. Do NOT ask users with weak passwords to change their password (at
least don't let them know you know, cause they will get mad at you)

2. Before you do your audit, check if you can extract information such
as "password last set date/time" - statistics and a heatmap on those
data says a lot before you have to do an audit.

3. Check that you can implement and technically enforce complexity
requirements. A user with password7 will otherwise change to password8
next time - doesn't help security much.

4. Figure out what you should and actually can do by non-personal
accounts with bad passwords. It's not as easy as you think.

5. Depending on who your manager is, please ask him/her to verify all
legal aspects of doing such an audit, as well as internal
audit/compliance requirements. You'll probably get access to the
password of everyone in the executive staff, human relations, legal
departments etc. NOT the kind of data you wanna be held liable for if
something goes wrong!

6. Do the audit on an offline computer. Do the statistics, wipe the
source and output data from john. Store data on an encrypted volume from
the beginning.

Good luck!

Regards,
Per Thorsheim
twitter.com/thorsheim


Derek Robson wrote:
> I have been asked by my manager to setup a password audit.
> 
> I plan on using john-the-ripper (unix passwords)
> the basic idea is that we want a list of users that have weak
> passwords, gut feeling is that a large number of staff have an old
> default password.
> 
> we intend to just hit it with a 200K word dictionary, and see what we get.
> 
> 
> the next step is run this every month and email users that have weak
> passwords asking them to "please change your password"
> 
> 
> the question is about the security we setup around the box we run JtR
> on and the data we find.
> should this be done on a non-networked box?
> could this be done on an secure networked box, one that only a few
> (about 7) trusted staff have login for?
> 
> any other tips?
> 
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
> 
> Prove to peers and potential employers without a doubt that you can actually do a \
> proper penetration test. IACRB CPT and CEPT certs require a full practical \
> examination in order to become certified. 
> http://www.iacertification.org
> ------------------------------------------------------------------------
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksCu8AACgkQsXl+Y9DQrvYjEwCggzq+LREGfQ5LicqfUp8Wismq
awgAoJL5RFj7bxgjZAZJvBMfHozm4UIU
=VFst
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a \
proper penetration test. IACRB CPT and CEPT certs require a full practical \
examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]