Password Assessment with LC6 – Why it Matters for Auditors

Last week the researchers over at the L0phtCrack team (Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko) released a new version of their famous tool – l0phtcrack, this time known as LC6. The tool has finally returned from its long slumber and is now available for download and purchase from their website (http://www.l0phtcrack.com/index.html). And can I just say to these developers, Welcome back!

The million dollar question security engineers and auditors are probably asking right now is, why would I willingly pay for a password cracking tool when there are free tools like John the Ripper, LCP, and Cain & Abel available that will do the same thing?

Well, I’m glad you asked…

LC6 has a feature called – “Display Passwords when Audited” which can be disabled.

That feature alone should make this the password cracking tool of choice for any security auditor. If you’re an auditor, do you really want to know what your users’ passwords are? Or do you simply want to know how long it takes to crack the passwords and whether they are in compliance with the organization’s password policies? It seems to me as an auditor, we want to protect our passwords and our hashes from inadvertent disclosure. What better way to do that than not displaying them at all?

Auditors, password assessment should be a part of your testing regiment, but only in a controlled manner and with proper management authorization. Although I don’t get any corporate sponsorship for saying this, I think we should consider LC6, to protect our integrity as auditors and yet still be able to test a critical system control.

Crack responsibly…