Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Password Cracking vs. Password Policy Auditing

Recently, a Tenable customer asked me if we had any plans or capability to perform brute force password cracking with Nessus. For those familiar with Nessus, this wasn't about testing for default user accounts during a network scan. The customer was asking to obtain the encrypted password databases from Windows and UNIX and try to brute-force their contents offline to find weak passwords. This particular customer was running several different password cracking tools across several different operating systems.

When I asked what the requirement was, the customer said they wanted to enforce minimum password lengths, minimum password durations and certain complexity levels. I suggested that they use the sort of compliance checks that Nessus 3 can perform. All modern operating systems have pretty good password policy settings which can help enforce password complexity, how often a user has to change their password and so on.

Since this customer had the Security Center, they could produce one password policy that Nessus 3 can use to perform these password audits. Then, for each of the customer's different asset groups (Windows Servers, User Desktops, Firewalls, .etc) they can report which ones had password policy issues.

In the end, this was much less intensive for the customer to perform consistently and on a repeatable basis.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.