Concerns: More on Password Cracking

Posted on March 5, 2008. Filed under: Auditing, General | Tags: , , |

I was talking with a coworker the other day about password cracking and I wanted to write up another post regarding that conversation and Michael Coates comments on a previous article that I wrote.

http://secauditor.wordpress.com/2008/02/21/what-is-more-important-password-expiration-complexity-or-something-else/

There are two main areas that must be looked at anytime an organization enters into password cracking. First is the transportation and storage of the password database and the non-repudiation aspect of users once password cracking is entered into. For this article I want to look at the later. Let’s look at a scenario to start with.

Company A conducts quarterly password cracking on their entire user base. In a separate event unrelated to this action user Joe Schmoe is annoyed with his lack of a bonus and decides to delete critical data. Joe’s supervisor decides to terminate Joe over this event. Joe files a wrongful termination suit against Company A based on this termination. Now you might say, Company A was completely justified with terminating Joe. Joe’s lawyer calls you to the stand and says “Do you use a password cracking program” and “how many people have access to the information gathered from this program?” Here is where the catch is, now you can’t dispute that multiple people have access to the password, how can you prove it was Joe?

Does this mean no more password cracking to ensure strength and protection? Not in the least. There are several areas that must be addressed though.

  1. Your policies must be solid and identify exactly what you are looking for in a password. (i.e. one letter, one number, one special character)
  2. You need to ensure that you have defined how you handle the situation once you find a password is non-compliant. (i.e. the user is notified and a password change is required.)
  3. Document how you conduct password cracking. (i.e. you can crack any passwords that are all numbers, all letters, all special characters, or a combination of any two of these) This ensures that if a password meets you policy it will not be cracked.

Now you have ensured that passwords that are in compliance are not cracked, you have notified and forced change for those whose password is out of compliance, and you have ensured that a user’s actions are truly their own.

Make a Comment

Make a Comment: ( None so far )

blockquote and a tags work here.

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...