Every once in awhile you come across a situation that just makes you shake your head and wonder what people are thinking when it comes to security. A few years ago I was working on a security assessment with my partner, and per the terms of our contract we ran L0phtcrack to see how well the users were selecting robust passwords. Since there was no formal password policy in place, it wasn’t surprising to find that more than 60% of the company was using either a blank password or the word “password.” The program cracked those in less than a second – which caused more than a little concern to the owner/executive watching us work. (The term “freaked out” would be appropriate here, if it didn’t seem a tad disrespectful.)
Of course, POST assessment we worked with him to implement a password policy, a user training session and complexity requirements that ensured users were choosing alpha-numeric passwords and changing them on a regular basis. However, the owner/executive (whom I will call Bob, since that is his name) was still wary that the users weren’t making good choices. He asked us again to run L0phtcrack to provide a list of the password that users had selected.
Now, I understand Bob’s concern – however, let’s consider the potential risks involved. First of all, we’ve completed the assessment and report and are now implementing recommendations in the consulting phase of the project – therefore we are no longer covered under the protection we had during the actual assessment. To proceed, we’d need first to gain written permission for the action. But more importantly, if we were to provide a list of the usernames and passwords as requested – we’ve just completely eliminated the concept of accountability. Knowledge of this list would mean that users could claim they hadn’t logged in with their password – someone with access to the password list must have logged in and “fudged” the books or surfed inappropriate material on company computers. Bob’s logic was that if nobody knew about the list except the three of us, nobody could claim misuse.
(Big red flags should be waving before your eyes right about now.)
Let’s pretend for a moment that we acquiesced and granted the request, providing Bob with a list of all usernames and passwords. Two weeks later, the computer that Bob’s brother works on was found to have accessed child pornography. Bob knows HE didn’t log in, and he knows his brother couldn’t possibly have done it. That leaves two people who have previously remotely accessed the system (as part of the assessment) and who theoretically could know the usernames and passwords. You may as well paint a target on your t-shirt with the words “sucker” on the top.
Think I’m being paranoid? It’s possible, but thankfully my partner agreed with me and we chose not to provide the list and to explain in great detail why it was unnecessary based on the complexity requirements we implemented. We also explained the legal risk to him, which I’m hoping he appreciated once he calmed down from all the obscenities he was slinging at us.
So to recap – the users hated us for making them learn how to create new complex passwords; the owner hated us for not giving him an unethical list of passwords; the hackers hated us for closing down all the blatant security holes that said, “come on in.” At the end of the day, we still got paid – I’d call that a good day’s work in penetration testing/security assessments.