Password Cracking vs. Password Policy Auditing
Recently, a Tenable customer asked me if we had any plans or capability to perform brute force password cracking with Nessus. For those familiar with Nessus, this wasn't about testing for default user accounts during a network scan. The customer was asking to obtain the encrypted password databases from Windows and UNIX and try to brute-force their contents offline to find weak passwords. This particular customer was running several different password cracking tools across several different operating systems.
When I asked what the requirement was, the customer said they wanted to enforce minimum password lengths, minimum password durations and certain complexity levels. I suggested that they use the sort of compliance checks that Nessus 3 can perform. All modern operating systems have pretty good password policy settings which can help enforce password complexity, how often a user has to change their password and so on.
Since this customer had the Security Center, they could produce one password policy that Nessus 3 can use to perform these password audits. Then, for each of the customer's different asset groups (Windows Servers, User Desktops, Firewalls, .etc) they can report which ones had password policy issues.
In the end, this was much less intensive for the customer to perform consistently and on a repeatable basis.
Related Articles
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!