SecurityFocus

password auditing Nov 17 2009 06:43AM
Derek Robson (robsonde gmail com) (10 replies)

Re: password auditing Nov 18 2009 02:29PM
Anders Thulin (anders thulin sentor se)

Re: password auditing Nov 17 2009 09:41PM
R. DuFresne (dufresne sysinfo com) (1 replies)

Re: password auditing Nov 17 2009 09:55PM
Derek Robson (robsonde gmail com) (1 replies)

Re: password auditing Nov 18 2009 05:33AM
JoePete (joepete joepete com) (1 replies)

Re: password auditing Nov 20 2009 01:25AM
DaKahuna (da kahuna gmail com)

Re: password auditing Nov 17 2009 05:01PM
Haris Pilton (harispilton37 gmail com)

sounds like a fun project. I would Protect it like you currently
protect the password files you are going to brute.

On Tuesday, November 17, 2009, Derek Robson <robsonde (at) gmail (dot) com [email concealed]> wrote:
> I have been asked by my manager to setup a password audit.
>
> I plan on using john-the-ripper (unix passwords)
> the basic idea is that we want a list of users that have weak
> passwords, gut feeling is that a large number of staff have an old
> default password.
>
> we intend to just hit it with a 200K word dictionary, and see what we get.
>
>
> the next step is run this every month and email users that have weak
> passwords asking them to "please change your password"
>
>
> the question is about the security we setup around the box we run JtR
> on and the data we find.
> should this be done on a non-networked box?
> could this be done on an secure networked box, one that only a few
> (about 7) trusted staff have login for?
>
> any other tips?
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]

Re: password auditing Nov 17 2009 03:56PM
Ross Del Duca (delducra mac com)

Re: password auditing Nov 17 2009 03:56PM
Meta Junkie (metajunkie gmail com)

RE: password auditing Nov 17 2009 03:29PM
Bakshi, Narinder (FIN) (Narinder Bakshi ontario ca)

RE: password auditing Nov 17 2009 02:00PM
John Perea (JPerea contegosecurity com) (1 replies)

Re: password auditing Nov 17 2009 02:38PM
Robert Portvliet (robert portvliet gmail com)

RE: password auditing Nov 17 2009 01:57PM
McGhee, Eddie (Eddie McGhee ncr com) (2 replies)

RE: password auditing Nov 17 2009 02:59PM
Harris, Michael C. (HarrisMC health missouri edu) (1 replies)

Re: password auditing Nov 17 2009 06:52PM
Tracy Reed (treed ultraviolet org)

Re: password auditing Nov 17 2009 02:53PM
Kevin L. Shaw, CISSP, GCIH (kshaw eeenterprisesinc com)

Re: password auditing Nov 17 2009 01:20PM
Robert Portvliet (robert portvliet gmail com)

Re: password auditing Nov 17 2009 12:58PM
James Bensley (jwbensley gmail com)