Testing for Insecure Passwords

Despite recent popular opinion and some well publicised hacks involving them, passwords are not intrinsically weak. When used properly, they are a perfectly good, single factor, method of authentication.

The important part of that phrase is “when used properly” and experience shows that the overwhelming majority of password compromises are as a result of users making poor choices when it comes to their passwords.

In June, we published a whitepaper on passwords which is excellent background reading on this subject. With a few exceptions (PCI-DSS standards being the most notable) there are no hard and fast rules on what a password should look like. Good practice (linked to the PCI-DSS requirements) has gone towards advising people to use 8 or more characters and select them from all the possible keyboard characters.

In general, the password structure you go for must be part of your overall risk management strategy. If you are in any doubt, encourage your users to use longer passwords and if you connect to old Windows systems, then 16+ characters is the best idea.

Once you have established your requirements, there has to be some way in which you test your users and systems for compliance. Failure to do this will pretty much ensure that your users get lazy, choose weak passwords and eventually your systems will be compromised.

There are several ways you can do this – and for large enterprise systems or mission critical applications we would always recommend you bring in the services of a security testing company / Pentester. This will give you the greatest assurance that your security is in place and their trained staff will be able to advise you on other security issues.

However, if you want to check your systems yourself then this is possible using freely available, open source, tools.

The most common password checking tool is John The Ripper, which is available for Windows, Linux and Mac OS X – its primary purpose is to check for weak Unix passwords but it can also identify weak Windows LM hashed passwords (used by older versions of Windows – before NT4 – and unfortunately frequently enabled to allow backwards compatibility).

This is an easy to use tool with quite a bit of online documentation available. An example of how you can use this on a Linux system to test for weak log-on passwords is as follows:

> cd /var/lib/john
> umask 077
> unshadow /etc/passwd /etc/shadow > mypasswords
> john -show mypasswords

On issuing the last command, John the Ripper will work through the password file and show cracks username / password pairs for you to assess.

(Note: you will need root privileges for this work)

While this testing will not be perfect, it will give you an idea of users who have very weak passwords which can be found in common wordlist files. If you combine your operating system controls over minimum length with regular testing using John the Ripper, you can develop a level of assurance that your users have sufficiently strong passwords.

If you have any questions about implementing security testing, risk assessing your enterprise or any other aspect of information security then get in touch with Halkyn Consulting and our specialist consultants will be pleased to assist you.

Halkyn Security

Halkyn Security Consultants.