Pentester Reporting on Cracked Passwords

Anytime in a security review that a password is obtained, whether it is simply a default setting or cracked after 8 days of crunching (or anything in between) there are some important things as the tester that need to happen.  First, notify the client and recommend they force change the password. Don’t just have them set it to force change at next login, specify that they change it and then, if necessary, notify the user.  This is because the account may already be compromised.  Just forcing a change may permit a bad guy to continue to access the account.  Second, if you must disclose the passwords to anyone, do so using partial masks.  Show only the first two characters or something similar, to disclose as little as possible, but still prove you have the password.  This is because the password in question might be used for other things, like personal banking.  Disclosing the full password could permit 3rd parties to obtain access to accounts other than the one being examined.  Judgement is important, since even two characters can be enough to identify a full password.  Above all, never release the passwords and accounts in any transferable format, such as a pdf or as part of the report.  Make sure your contracts indicate the client must change the passwords within a time frame and be able to show that your practices do not put the account credentials at risk, such as by sharing them with co-workers on a file sharing site.  Should anything go wrong, you want to be able to demonstrate that your people are not at fault.  Never retain credentials, and don’t add any of them to your dictionary unless you’ve filtered them closely for any which might indicate origin.  Something like “ih8COMPANYX” can indicate origin and may be used by another user at some future date, and if your dictionary ever gets questioned, you might be liable.  As always, check with a lawyer for real legal advice on the contracts and other legal subjects; Digital Trust is not a legal authority.

This post was largely inspired by a conversation from the SANS pentesting forum.