|
|
|
Penetration Testing
password auditing Nov 17 2009 06:43AM Derek Robson (robsonde gmail com) (10 replies) Re: password auditing Nov 17 2009 09:41PM R. DuFresne (dufresne sysinfo com) (1 replies) RE: password auditing Nov 17 2009 01:57PM McGhee, Eddie (Eddie McGhee ncr com) (2 replies) RE: password auditing Nov 17 2009 02:59PM Harris, Michael C. (HarrisMC health missouri edu) (1 replies) |
|
Privacy Statement |
On Nov 18, 2009, at 12:33 AM, JoePete wrote:
> On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote:
>> before we do this we want to get an overview of just how ugly things are.
>> we want to get real facts about how many users are using the default password.
>
> A few observations:
>
> One of the big reasons for password complexity is the ability to crack
> them offline. Essentially, password policy reflects more on the
> vulnerability of poorly secured systems (i.e. the ability to get at the
> password store) than the feeble-mindedness of employees.
>
> If your Internet facing services (email, intranet, VPN, etc) are a
> concern, your best protection is not password complexity but account
> lockout. Without account lockout, it is literally just a matter of time
> until even a strong password is broken.
>
> Apparently complex passwords still are very guessable or phishable. In
> my experience, I am not seeing people guess passwords. Why go to the
> effort? It is far easier to phish it or retrieve it through some other
> channel - crack their yahoo email, and go to the folder named
> "important" or "passwords" where they store all this stuff. And you know
> they use the same password for everything.
>
> Lastly, the measure of complexity is misleading. Take a very popular
> email provider that now requires 8 characters for a password -
> "8characters" registers as "strong" password.
You make some valid points but I will tell you why I spend 48 hours approximately every six months cracking passwords on our 43,000 user + Active Directory domain - verification of compliance with password policy. It does not good to have a policy that can not be 100% technically enforced if you don't audit to ensure user's are compliant. As long as have a complex password is a requirement and Active Directory does not know that Password1 (which meets our three out of four requirement) is a poor password the only safe way to go is to crack the password and inform the users that are not following the rules to get their act together.
I agree 100% that phishing is a bigger threat to security than weak complex passwords. However, the users most susceptible to Phishing are not the ones with advanced privileges. So once a bad guy gets in using phishing, they escalated privileges any way they can, to include password cracking.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]