Information on Password Cracking
This is a discussion on Information on Password Cracking within the Software Testing forums, part of the Software Quality Assurance category; [b]Password cracking[/B It is the process of validating password strength through the use of automated password recovery tools ...
| |||||||
| Register | FAQ | Members List | Calendar | Mark Forums Read |
03-29-2007, 10:51 PM
| |||
| |||
 Information on Password Cracking [b]Password cracking[/B It is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak cryptographic algorithms, incorrect implementation of cryptographic algorithms, or weak passwords due to human factors. This module should not be confused with password recovery via sniffing clear text channels, which may be a more simple means of subverting system security, but only due to unencrypted authentication mechanisms, not password weakness itself. Once gaining administrator or root privileges on a computer system, password cracking may assist in obtaining access to additional systems or applications (thanks to users with matching passwords on multiple systems) and is a valid technique that can be used for system leverage throughout a security test. Thorough or corporate-wide password cracking can also be performed as a simple after-action exercise and may highlight the need for stronger encryption algorithms for key systems storing passwords, as well as highlight a need for enforcing the use of stronger user passwords through stricter policy, automatic generation, or pluggable authentication modules (PAMs). Tasks to perform for a thorough Password Cracking verification: • Obtain the password file from the system that stores usernames and passwords o For Unix systems, this will be either /etc/passwd or /etc/shadow oFor Unix systems that happen to perform SMB authentication, you can find NT passwords in /etc/smbpasswd o For NT systems, this will be /winnt/repair/Sam._ (or other, more difficult to obtain variants) • Run an automated dictionary attack on the password file • Run a brute force attack on the password file as time and processing cycles allow • Use obtained passwords or their variations to access additional systems or applications • Run automated password crackers on encrypted files that are encountered (such as PDFs or Word documents) in an attempt to gather more intelligence and highlight the need for stronger document or file system encryption. •Verify password aging. -V.Vadivelan     |
| Sponsored Links |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| get the information of the browser? | saravanan | HTML, CSS and Javascript Coding Techniques | 1 | 04-15-2008 06:03 AM |
| Microsoft Information | Shanthi | Technology BUZZzzzzz | 5 | 03-21-2008 04:12 AM |
| Track User information | Jeyaseelansarc | PHP Programming | 9 | 08-06-2007 03:06 AM |
| Visitor's browser information | venkat_charya | PHP Programming | 2 | 07-19-2007 03:50 AM |
| Information and code samples | rgm5 | Ruby | 0 | 02-23-2007 06:51 AM |
All times are GMT -7. The time now is 06:26 PM.
