SecurityFocus

password auditing Nov 17 2009 06:43AM
Derek Robson (robsonde gmail com) (10 replies)

Re: password auditing Nov 18 2009 02:29PM
Anders Thulin (anders thulin sentor se)

Re: password auditing Nov 17 2009 09:41PM
R. DuFresne (dufresne sysinfo com) (1 replies)

Re: password auditing Nov 17 2009 09:55PM
Derek Robson (robsonde gmail com) (1 replies)

Re: password auditing Nov 18 2009 05:33AM
JoePete (joepete joepete com) (1 replies)

Re: password auditing Nov 20 2009 01:25AM
DaKahuna (da kahuna gmail com)

Re: password auditing Nov 17 2009 05:01PM
Haris Pilton (harispilton37 gmail com)

Re: password auditing Nov 17 2009 03:56PM
Ross Del Duca (delducra mac com)

Re: password auditing Nov 17 2009 03:56PM
Meta Junkie (metajunkie gmail com)

RE: password auditing Nov 17 2009 03:29PM
Bakshi, Narinder (FIN) (Narinder Bakshi ontario ca)

RE: password auditing Nov 17 2009 02:00PM
John Perea (JPerea contegosecurity com) (1 replies)

Re: password auditing Nov 17 2009 02:38PM
Robert Portvliet (robert portvliet gmail com)

RE: password auditing Nov 17 2009 01:57PM
McGhee, Eddie (Eddie McGhee ncr com) (2 replies)

I would 100% do this on a non networked machine, not worth the risk to loose every user/pass combo you manage to crack.

In theory it obviously could be done on a network machine but if it is not needed then don't do it. If you have a genuine reason to need to be able to do it while the machine is networked by all means go ahead but lock the shit out of it and don't give access to anyone to it but yourself, 7 trusted employees is 6 too many imo.

It only takes one person to screw everyone.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Derek Robson
Sent: 17 November 2009 06:43
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: password auditing

I have been asked by my manager to setup a password audit.

I plan on using john-the-ripper (unix passwords) the basic idea is that we want a list of users that have weak passwords, gut feeling is that a large number of staff have an old default password.

we intend to just hit it with a 200K word dictionary, and see what we get.

the next step is run this every month and email users that have weak passwords asking them to "please change your password"

the question is about the security we setup around the box we run JtR on and the data we find.
should this be done on a non-networked box?
could this be done on an secure networked box, one that only a few (about 7) trusted staff have login for?

any other tips?

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]

RE: password auditing Nov 17 2009 02:59PM
Harris, Michael C. (HarrisMC health missouri edu) (1 replies)

Re: password auditing Nov 17 2009 06:52PM
Tracy Reed (treed ultraviolet org)

Re: password auditing Nov 17 2009 02:53PM
Kevin L. Shaw, CISSP, GCIH (kshaw eeenterprisesinc com)

Re: password auditing Nov 17 2009 01:20PM
Robert Portvliet (robert portvliet gmail com)

Re: password auditing Nov 17 2009 12:58PM
James Bensley (jwbensley gmail com)