[prev in list] [next in list] [prev in thread] [next in thread]
List: pen-test
Subject: Re: password auditing
From: DaKahuna <da.kahuna () gmail ! com>
Date: 2009-11-20 1:25:00
Message-ID: E144DFF7-DD5E-4778-942D-264974131C2D () gmail ! com
[Download RAW message or body]
On Nov 18, 2009, at 12:33 AM, JoePete wrote:
> On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote:
> > before we do this we want to get an overview of just how ugly things are.
> > we want to get real facts about how many users are using the default password.
>
> A few observations:
>
> One of the big reasons for password complexity is the ability to crack
> them offline. Essentially, password policy reflects more on the
> vulnerability of poorly secured systems (i.e. the ability to get at the
> password store) than the feeble-mindedness of employees.
>
> If your Internet facing services (email, intranet, VPN, etc) are a
> concern, your best protection is not password complexity but account
> lockout. Without account lockout, it is literally just a matter of time
> until even a strong password is broken.
>
> Apparently complex passwords still are very guessable or phishable. In
> my experience, I am not seeing people guess passwords. Why go to the
> effort? It is far easier to phish it or retrieve it through some other
> channel - crack their yahoo email, and go to the folder named
> "important" or "passwords" where they store all this stuff. And you know
> they use the same password for everything.
>
> Lastly, the measure of complexity is misleading. Take a very popular
> email provider that now requires 8 characters for a password -
> "8characters" registers as "strong" password.
You make some valid points but I will tell you why I spend 48 hours approximately \
every six months cracking passwords on our 43,000 user + Active Directory domain - \
verification of compliance with password policy. It does not good to have a policy \
that can not be 100% technically enforced if you don't audit to ensure user's are \
compliant. As long as have a complex password is a requirement and Active Directory \
does not know that Password1 (which meets our three out of four requirement) is a \
poor password the only safe way to go is to crack the password and inform the users \
that are not following the rules to get their act together.
I agree 100% that phishing is a bigger threat to security than weak complex \
passwords. However, the users most susceptible to Phishing are not the ones with \
advanced privileges. So once a bad guy gets in using phishing, they escalated \
privileges any way they can, to include password cracking.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a \
proper penetration test. IACRB CPT and CEPT certs require a full practical \
examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic