What is a Password Security Audit
Password security audits helps to test the strength of user’s passwords and resiliency against password attacks.They can help to uncover weak passwords and also provide an opportunity to educate user’s on proper password utilization. For example, password audits can show you who in your organization is prone to picking weak passwords. This way, you can fix issues before a cyber-attack occurs.
Importance of Creating a Strong Password
Just one weak password could easily expose your network to malicious internal or external cyber-attacks. Password harvesting is one of the most exploited and commonly used network security threats out there. Regularly conducting a password security audit can uncover any weak passwords currently utilized within your company. This way, you can fix any issues found before they become significant problems.
Guidelines for Creating Strong Passwords
Good, strong passwords are a vital component in keeping your information secure and preventing unauthorized access.
- Make them long and complex with a minimum of 15 characters.
- Have them contain a combination of numbers, upper/lower case letters, and symbols.
- Refrain from including repeating patterns of characters.
- Use a different password for each device.
Rainbow Crack
Rainbow Crack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It crack hashes with rainbow tables. Rainbow Crack uses time-memory tradeoff algorithm to crack hashes. A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.
Wfuzz
Wfuzz is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc.), brute force GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP, etc.), brute force Forms parameters (User/Password), Fuzzing, etc. It was created to facilitate the task in web application assessments. It can also be used to find hidden resources like directories, servlets, and scripts.
Cain and Abel
Cain and Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force, and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
THC Hydra
Hydra is a parallelized password cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.When it is compared with other similar tools, it shows why it is faster. You can easily add modules and enhance the features. It is available for Windows, Linux, Free BSD, Solaris and OS X.
Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. It allows for rapid, yet reliable, large-scale auditing of multiple hosts. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated brute forcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and much more.