On 04/27/2011 09:19 PM, Aaron Toponce wrote: > On Wed, Apr 27, 2011 at 02:30:25PM -0600, Daniel Fussell wrote: >> In one of my prior lives, in a city far, far away, I worked for a >> company that was required to do a "Sneakers" style penetration test. >> This was a basic penetration test, not quite so grand as having Dan >> Aykroyd sitting in a sewer line doing wire taps. >> >> They had the entire company's passwords in less than one hour. >> >> To protect the innocent, I won't go into details on how it was >> accomplished. Suffice it to say, when I got the penetration report, my >> password was by far the most secure out of the hundreds compromised; it >> took the longest to crack, but still it fell in less than an hour. > I would /really/ like to hear the details to this. Because from what you've > said, I gather the following: > > 0. The passwords were all probably dictionary words, simple phrases, or > numbers or symbols appended to the end. Old ladies working in customer service positions don't come up with creative passwords, we'll put it that way. > 1. Of course, every password likely had very weak entropy to start > with. Did I mention the old ladies? > 2. Call me skeptical, but I doubt anything new was deployed. Rainbow > Tables or John the Ripper, I'm guessing was all that was used. I think Rainbow Tables was mentioned, but I can't be sure. At a basic level 1 penetration test, everything was pretty routine. > 3. Knowing corporate environments, I'd be willing to bet the story > carried long and hard before reaching your ears, including its many > incarnations. Nope, I got the cracked password report immediately after it was accomplished. Maybe a day latency at most, no hearsay.
Grazie, ;-Daniel Fussell -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
