Password Cracking vs. Password Policy Auditing
Recently, a Tenable customer asked me if we had any plans or capability to perform brute force password cracking with Nessus. For those familiar with Nessus, this wasn't about testing for default user accounts during a network scan. The customer was asking to obtain the encrypted password databases from Windows and UNIX and try to brute-force their contents offline to find weak passwords. This particular customer was running several different password cracking tools across several different operating systems.
When I asked what the requirement was, the customer said they wanted to enforce minimum password lengths, minimum password durations and certain complexity levels. I suggested that they use the sort of compliance checks that Nessus 3 can perform. All modern operating systems have pretty good password policy settings which can help enforce password complexity, how often a user has to change their password and so on.
Since this customer had the Security Center, they could produce one password policy that Nessus 3 can use to perform these password audits. Then, for each of the customer's different asset groups (Windows Servers, User Desktops, Firewalls, .etc) they can report which ones had password policy issues.
In the end, this was much less intensive for the customer to perform consistently and on a repeatable basis.