Today’s Security Tip: Password Cracking
I recently posted about password length vs. complexity vs. two-factor authentication. But passwords will be around for quite a while, so what are some of the things security professionals can do to keep passwords up to snuff? One of the ways is obviously to enforce password length and complexity, but politics don’t always let that happen.  So many security shops simply have to set policy and and then try to enforce it as best they can. But how do you do that? Two words: password cracker. Once you crack the passwords and determine the ones out of policy, then you go smack the user upside the head with the rolled-up policy, then make ‘em change the password.
Now here is where I get lazy and point you to this site that lists some of the best crackers and hash grabbers out there. But I will say that two of my favorites for a Windows environment (which is what most security admins are supporting) are Lophtcrack and Cain and Abel. Cain and Abel is free. LophtCrack was put out by @Stake, but they have since been bought by Symantec and it has been discontinued, so you can’t buy it. However, the site above has some ways of getting access to it.
A couple of disclaimers: I do not condone piracy (AARRGGHH!!!), and only use your powers for good. Ok then…
As said above, password cracking is a valuable tool for enforcing policies when politics won’t actually let you set the rules for enforcement. And besides, it’s fun! You never know what some of those passwords are going to be.
By the way, this security tip is part of a series that Michael at mcwresearch.com and I (and possibly some other bloggers) are trying out this week to see if it catches on. Michael’s latest tip is here. [Update: Alan Shimel is joining in on this at his blog.)
Vet
