Already have the capability but I do like how it simplifies the setup and tear down. Docker is a plus. bhyve next?
FireEye reckons sysadmins need help enforcing enterprise password rules, so it's released and open-sourced a tool that distributes password testing across multiple GPU-equipped machines. GoCrack (at GitHub) combines the management of a red team's cracking tasks with privilege management, so the password tests don't fall into …
A tool like this is more about lowering the bar to a job than about enabling it in the first place. The determined blackhat can do the same already. The competent network administrator might be able to too, if only he had time free from all those more urgent demands!
A tool simplifying the latter's job sounds like a Good Thing to me. And as I read it, this one's got builtin hurdles against casual misuse, so it doesn't lower the bar too much to a script kiddie.
To withhold it would smell of that old favourite, security by obscurity.
I had to change a password for something I access both from lap/desktop and my Android phone. I found I could not use an asterisk as presumably the unicode was different in some way. Only explanation which made sense. It was definitely that character which was problematic. It worked fine from lab/desktop so it wasn't the site.
I tend to use phrase initials. Of memorable stanzas of my own, never to be published (in my lifetime) poetry. I store them in Note like apps but munged pretty bad with 1stverse or 2ndverse etc and any numbers are encoded in a Pacific island language. I can count fluently in a number of different world languages. A Turkish colleague on learning I'd been and knew my numbers tested me and said my pronunciation was very good. Well we were there a whole two weeks.
The joke is you haven't enabled password complexity rules.
We haven't been allowed to. I've been pushing for complexity rules ever since I was promoted into my current position a decade ago, and lecturing people on the importance of good passwords for the 5 prior years that I've been here.
... in most commercial companies I know sysadmins don't really have access to much unused powerful GPUs - and most companies that mostly just shuffle documents around don't care much about GPUs.
So, how do you use it? Crack your company passwords outside the company in some cloudy setup? I can foresee how many layers of authorization you may need just to think about it... and anyway once you have users' password you are also accountable for anything that may happen with those accounts... until all broken passwords has been changed.
Biting the hand that feeds IT © 1998–2019