Re: password auditing

On Nov 18, 2009, at 12:33 AM, JoePete wrote:

On Wed, 2009-11-18 at 10:55 +1300, Derek Robson wrote:
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account lockout, it is literally just a matter of time
until even a strong password is broken.

Apparently complex passwords still are very guessable or phishable. In
my experience, I am not seeing people guess passwords. Why go to the
effort? It is far easier to phish it or retrieve it through some other
channel - crack their yahoo email, and go to the folder named
"important" or "passwords" where they store all this stuff. And you know
they use the same password for everything.

Lastly, the measure of complexity is misleading. Take a very popular
email provider that now requires 8 characters for a password -
"8characters" registers as "strong" password.

You make some valid points but I will tell you why I spend 48 hours approximately every six months cracking passwords on our 43,000 user + Active Directory domain - verification of compliance with password policy. It does not good to have a policy that can not be 100% technically enforced if you don't audit to ensure user's are compliant. As long as have a complex password is a requirement and Active Directory does not know that Password1 (which meets our three out of four requirement) is a poor password the only safe way to go is to crack the password and inform the users that are not following the rules to get their act together.

I agree 100% that phishing is a bigger threat to security than weak complex passwords. However, the users most susceptible to Phishing are not the ones with advanced privileges. So once a bad guy gets in using phishing, they escalated privileges any way they can, to include password cracking.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.