Have you ever tried to crack your network user’s passwords?\u00a0 Why would you do that you ask?\u00a0 Simple, compliance check is one reason.\u00a0 The other is to better understand what is possible and what kind of password your users are using.\u00a0 In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.<\/p>\n
You might might think that the idea of running a password cracking program on your network users is a waste of time.\u00a0 In fact, you have to remember that if the bad guys are most likely to use that type of tool, you should use it first.\u00a0 That way you will know what a black hat will be able to get out our your password database.\u00a0 Here are a few reasons why you should do regular password audits.<\/p>\n
You should not have the false comfort that your network is safe just because you have turned on complex password group policy in active directory<\/a>.\u00a0 The rules of complex password in active directory are as follow:<\/p>\n Using those rules, that means that the password Password1<\/strong> is actually a valid password.\u00a0 How good of a password is that?\u00a0 This a valid password because active directory does not actually do a password complexity check.\u00a0 What it does is more accurately described as a password constraint check.\u00a0 The idea of complex passwords is that it should force users to not use dictionary words as their passwords.\u00a0 Since it is not practical to have a full dictionary in Active Directory to make sure that passwords are not in the dictionary, the designers simply impose constraints on what your password should be like.\u00a0 Hence, the complex password group policy constraints as described above.<\/p>\n Another aspect of passwords is that people will tend to re-use the same password everywhere they can.\u00a0 What this means is that the password is only as strong as the weakest link.\u00a0 Namely, if you use the same password on a web site that is easily compromised, the black hat will try the newly discovered password on your bank account as well, knowing full well that it is likely going to be the same password.<\/p>\n If you are not willing, or allowed to do a password audit on your network, you really should take a look a studies that were done on passwords that have been revealed because of security breaches.\u00a0 There has been two recent incidents that are worthy of reading.\u00a0 One is an article on Dark Reading (http:\/\/www.darkreading.com\/blog\/archives\/2009\/02\/phpbb_password.html<\/a>) about the phpbb.com web site hack.\u00a0 The other one is from Bruce Schneier who did an analysis on passwords that were published by people behind a fake MySpace web page used in a phishing campain.<\/p>\n Whenever possible, you should use some kind of two-factor authentication, such as smart cards or an RSA token.<\/p>\n\n
\n