{"id":190,"date":"2011-08-26T18:37:45","date_gmt":"2011-08-26T18:37:45","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=190"},"modified":"2011-08-26T18:37:45","modified_gmt":"2011-08-26T18:37:45","slug":"testing-for-insecure-passwords","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/","title":{"rendered":"Testing for Insecure Passwords"},"content":{"rendered":"

Despite recent popular opinion and some well\u00a0publicised\u00a0hacks involving them, passwords are not intrinsically weak. When used properly, they are a perfectly good, single factor, method of authentication.<\/p>\n

The important part of that phrase is “when used properly” and experience shows that the overwhelming majority of password compromises are as a result of users making poor choices when it comes to their passwords.<\/p>\n

In June, we published a\u00a0whitepaper on passwords<\/a>\u00a0which is excellent background reading on this subject.\u00a0With a few exceptions (PCI-DSS standards<\/a> being the most notable) there are no hard and fast rules on what a password should look like. Good practice (linked to the PCI-DSS requirements) has gone towards advising people to use 8 or more characters and select them from all the possible keyboard characters.<\/p>\n

In general, the password structure you go for must<\/strong> be part of your overall risk management strategy. If you are in any doubt, encourage your users to use longer passwords and if you connect to old Windows systems, then 16+ characters is the best idea.<\/p>\n

Once you have established your requirements, there has to be some way in which you test your users and systems for compliance. Failure to do this will pretty much ensure that your users get lazy, choose weak passwords and eventually your systems will be compromised.<\/p>\n

There are several ways you can do this – and for large enterprise systems or mission critical applications we would always recommend you bring in the services of a security testing company \/ Pentester. This will give you the greatest assurance that your security is in place and their trained staff will be able to advise you on other security issues.<\/p>\n

However, if you want to check your systems yourself then this is possible using freely available, open source, tools.<\/p>\n

The most common password checking tool is John The Ripper<\/a>, which is available for Windows, Linux and Mac OS X – its primary purpose is to check for weak Unix passwords but it can also identify weak Windows LM hashed passwords (used by older versions of Windows – before NT4 – and unfortunately frequently enabled to allow backwards compatibility).<\/p>\n

This is an easy to use tool with quite a bit of online documentation available. An example of how you can use this on a Linux system to test for weak log-on passwords is as follows:<\/p>\n

> cd \/var\/lib\/john\r\n> umask 077\r\n> unshadow \/etc\/passwd \/etc\/shadow > mypasswords\r\n> john -show mypasswords<\/pre>\n
On issuing the last command, John the Ripper will work through the password file and show cracks username \/ password pairs for you to assess.<\/p>\n
(Note: you will need root\u00a0privileges\u00a0for this work)<\/p>\n
While this testing will not be perfect, it will give you an idea of users who have very weak passwords which can be found in common wordlist files. If you combine your operating system controls over minimum length with regular testing using John the Ripper, you can develop a level of assurance that your users have sufficiently strong passwords.<\/p>\n
If you have any questions about implementing security testing, risk assessing your enterprise or any other aspect of information security then get in touch with Halkyn Consulting<\/a> and our specialist consultants will be pleased to assist you.<\/p>\n","protected":false},"excerpt":{"rendered":"
Despite recent popular opinion and some well\u00a0publicised\u00a0hacks involving them, passwords are not intrinsically weak. When used properly, they are a perfectly good, single factor, method of authentication. The important part of that phrase is “when used properly” and experience shows that the overwhelming majority of password compromises are as a result of users making poor […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[5,22],"tags":[6,140,46,19],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-security","category-security-education-and-awareness","tag-infosec","tag-security","tag-security-management","tag-srm","entry"],"jetpack_publicize_connections":[],"yoast_head":"\nTesting for Insecure Passwords - Halkyn Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Testing for Insecure Passwords - Halkyn Security Blog\" \/>\n<meta property=\"og:description\" content=\"Despite recent popular opinion and some well\u00a0publicised\u00a0hacks involving them, passwords are not intrinsically weak. When used properly, they are a perfectly good, single factor, method of authentication. The important part of that phrase is “when used properly” and experience shows that the overwhelming majority of password compromises are as a result of users making poor […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\" \/>\n<meta property=\"og:site_name\" content=\"Halkyn Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2011-08-26T18:37:45+00:00\" \/>\n<meta name=\"author\" content=\"Halkyn Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:site\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Halkyn Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\"},\"author\":{\"name\":\"Halkyn Security\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2\"},\"headline\":\"Testing for Insecure Passwords\",\"datePublished\":\"2011-08-26T18:37:45+00:00\",\"dateModified\":\"2011-08-26T18:37:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\"},\"wordCount\":526,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"keywords\":[\"Information Security\",\"Security\",\"Security Management\",\"Security Risk Management\"],\"articleSection\":[\"Security\",\"Security Education and Awareness\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\",\"name\":\"Testing for Insecure Passwords - Halkyn Security Blog\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\"},\"datePublished\":\"2011-08-26T18:37:45+00:00\",\"dateModified\":\"2011-08-26T18:37:45+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Halkyn Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Testing for Insecure Passwords\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"name\":\"Halkyn Security Blog\",\"description\":\"Specialist Security & Risk Management Consultants\",\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\",\"name\":\"Halkyn Consulting\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"width\":\"990\",\"height\":\"170\",\"caption\":\"Halkyn Consulting\"},\"image\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/2329571\",\"https:\/\/twitter.com\/HalkynSecurity\"]},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2\",\"name\":\"Halkyn Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g\",\"caption\":\"Halkyn Security\"},\"description\":\"Halkyn Security Consultants.\",\"sameAs\":[\"http:\/\/www.halkynconsulting.co.uk\/\"],\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/author\/halkyn-consulting\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Testing for Insecure Passwords - Halkyn Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/","og_locale":"en_GB","og_type":"article","og_title":"Testing for Insecure Passwords - Halkyn Security Blog","og_description":"Despite recent popular opinion and some well\u00a0publicised\u00a0hacks involving them, passwords are not intrinsically weak. When used properly, they are a perfectly good, single factor, method of authentication. The important part of that phrase is “when used properly” and experience shows that the overwhelming majority of password compromises are as a result of users making poor […]","og_url":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/","og_site_name":"Halkyn Security Blog","article_published_time":"2011-08-26T18:37:45+00:00","author":"Halkyn Security","twitter_card":"summary_large_image","twitter_creator":"@HalkynSecurity","twitter_site":"@HalkynSecurity","twitter_misc":{"Written by":"Halkyn Security","Estimated reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#article","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/"},"author":{"name":"Halkyn Security","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2"},"headline":"Testing for Insecure Passwords","datePublished":"2011-08-26T18:37:45+00:00","dateModified":"2011-08-26T18:37:45+00:00","mainEntityOfPage":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/"},"wordCount":526,"commentCount":0,"publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"keywords":["Information Security","Security","Security Management","Security Risk Management"],"articleSection":["Security","Security Education and Awareness"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/","url":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/","name":"Testing for Insecure Passwords - Halkyn Security Blog","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website"},"datePublished":"2011-08-26T18:37:45+00:00","dateModified":"2011-08-26T18:37:45+00:00","breadcrumb":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/08\/testing-for-insecure-passwords\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Halkyn Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/"},{"@type":"ListItem","position":2,"name":"Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Testing for Insecure Passwords"}]},{"@type":"WebSite","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","name":"Halkyn Security Blog","description":"Specialist Security & Risk Management Consultants","publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization","name":"Halkyn Consulting","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","width":"990","height":"170","caption":"Halkyn Consulting"},"image":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/2329571","https:\/\/twitter.com\/HalkynSecurity"]},{"@type":"Person","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2","name":"Halkyn Security","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g","caption":"Halkyn Security"},"description":"Halkyn Security Consultants.","sameAs":["http:\/\/www.halkynconsulting.co.uk\/"],"url":"http:\/\/www.halkynconsulting.co.uk\/a\/author\/halkyn-consulting\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9yHvD-34","jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/comments?post=190"}],"version-history":[{"count":2,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":192,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/190\/revisions\/192"}],"wp:attachment":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/media?parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/categories?post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/tags?post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}