[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    Re: password auditing
From:       DaKahuna <da.kahuna () gmail ! com>
Date:       2009-11-20 1:25:00
Message-ID: E144DFF7-DD5E-4778-942D-264974131C2D () gmail ! com
[Download RAW message or body]


On Nov 18, 2009, at 12:33 AM, JoePete wrote:

> On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote: 
> > before we do this we want to get an overview of just how ugly things are.
> > we want to get real facts about how many users are using the default password.
> 
> A few observations:
> 
> One of the big reasons for password complexity is the ability to crack
> them offline. Essentially, password policy reflects more on the
> vulnerability of poorly secured systems (i.e. the ability to get at the
> password store) than the feeble-mindedness of employees.
> 
> If your Internet facing services (email, intranet, VPN, etc) are a
> concern, your best protection is not password complexity but account
> lockout. Without account lockout, it is literally just a matter of time
> until even a strong password is broken.
> 
> Apparently complex passwords still are very guessable or phishable. In
> my experience, I am not seeing people guess passwords. Why go to the
> effort? It is far easier to phish it or retrieve it through some other
> channel - crack their yahoo email, and go to the folder named
> "important" or "passwords" where they store all this stuff. And you know
> they use the same password for everything.
> 
> Lastly, the measure of complexity is misleading. Take a very popular
> email provider that now requires 8 characters for a password -
> "8characters" registers as "strong" password.

 You make some valid points but I will tell you why I spend 48 hours approximately \
every six months cracking passwords on our 43,000 user + Active Directory domain - \
verification of compliance with password policy.  It does not good to have a policy \
that can not be 100% technically enforced if you don't audit to ensure user's are \
compliant.  As long as have a complex password is a requirement and Active Directory \
does not know that Password1 (which meets our three out of four requirement) is a \
poor password the only safe way to go is to crack the password and inform the users \
that are not following the rules to get their act together.

 I agree 100% that phishing is a bigger threat to security than weak complex \
passwords.  However, the users most susceptible to Phishing are not the ones with \
advanced privileges. So once a bad guy gets in using phishing, they escalated \
privileges any way they can, to include password cracking.




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a \
proper penetration test. IACRB CPT and CEPT certs require a full practical \
examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]