11 security audit essentials
A note on password strength
While IT security audit tools facilitate the security audit process, it would not be out of place here to call attention to the importance of password strength. Most organizations provide employees with a long set of instructions on how to create strong passwords and even disallow creation of trivial or weak passwords. But in the absence of such safeguards, and also for home users or non-technical users, a password strength tool could be useful.
One such tool is available for free at http://howsecureismypassword.net. Using this tool, one can establish the estimated time in which a particular password could be cracked. Based on a stored database of passwords, it also informs if the password is among the list of top weak passwords, and provides detailed analysis on the password strength. The tool also offers suggestions for a better password.
Password cracking tools are an indispensible part of every set of IT security audit tools. We recommend AirCrack (wireless) and Ophcrack (system). AirCrack is used to crack WEP and WPA encryptions in wireless networks. For AirCrack to work effectively, a prerequisite is to capture enough packets from the air and allow the program to execute the algorithms to crack the wireless keys. AirCrack is most suited to 802.11a/b/g standards.
Ophcrack is a free open source tool that can be used to crack Windows passwords using rainbow tables. It is bundled with free tables for Windows XP and Windows Vista. It also analyzes the strength of a password through real-time graph analysis. An extension for cracking simple passwords using brute force is available.
You can download Ophcrack here and AirCrack here.