Re: Password Cracking

From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 01/20/03


From: "S. Pidgorny [MVP]" <slavickp@yahoo.com>
Date: Mon, 20 Jan 2003 22:01:38 +1100

In big organisations with thousands user accounts password cracking as mean
of managing risks associated with weak passwords is neither preferred nor
practical. What do we do?

* Enforce using SOE
* Define password complexity and change policies in directory services
* Have all policies in place and train users
* Keep audit trail of all logon events

Optionally, for some critical systems:

* Have multiple parts of passwords with different custodoans, so that entire
password isn't known to one person
* Using hardware token/smart card logon (easy to do in small organisations
though)

At the end of the day, password cracking exercise isn't that important.

Not to mention physical security, host authentication/IPsec/switched
networkin (prevents sniffing), Kerberos, etc. etc.

-- 
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
"Lohkee" <Lohkee@worldnet.att.net> wrote in message
news:2PEW9.3154$zF6.273943@bgtnsc04-news.ops.worldnet.att.net...
> Password Crackers (DRAFT FOR COMMENT)
> Copyright (C) 2003 by Lohkee!
> All rights Reserved
>
>
> Many within the professional security community recommend running password
> crackers as the preferred means of managing risk arising from the
selection
> of weak passwords by system users....
> The goal, and sole justification for password cracking exercises, is to
> reduce risk by enforcing the use of strong passwords via the
identification
> and subsequent elimination of those that are weak. Obviously, the validity
> of this exercise is wholly dependent on two important factors; the ability
> to correctly define and prove the characteristics of a strong password,
and,
> proof that strong passwords reduce risk to the organization.


Relevant Pages

  • Re: Password Cracking
    ... In big organisations with thousands user accounts password cracking as mean ... of managing risks associated with weak passwords is neither preferred nor ... At the end of the day, password cracking exercise isn't that important. ...
    (comp.security.misc)
  • Re: Password Cracking
    ... In big organisations with thousands user accounts password cracking as mean ... of managing risks associated with weak passwords is neither preferred nor ... At the end of the day, password cracking exercise isn't that important. ...
    (microsoft.public.win2000.security)
  • Re: Password Cracking
    ... > In big organisations with thousands user accounts password cracking as mean ... > of managing risks associated with weak passwords is neither preferred nor ... numbers of passwords increases. ... which often has very weak passwords. ...
    (microsoft.public.win2000.security)
  • Re: Password Cracking
    ... > In big organisations with thousands user accounts password cracking as mean ... > of managing risks associated with weak passwords is neither preferred nor ... numbers of passwords increases. ... which often has very weak passwords. ...
    (comp.security.misc)
  • Re: Password Cracking
    ... > In big organisations with thousands user accounts password cracking as mean ... > of managing risks associated with weak passwords is neither preferred nor ... numbers of passwords increases. ... which often has very weak passwords. ...
    (comp.os.ms-windows.nt.admin.security)