What is suggested as an alternative to relying solely on password guessing during a test?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

What is suggested as an alternative to relying solely on password guessing during a test?

Explanation:
Understanding password security requires more than just guessing passwords during a live test. The recommended approach is to augment the assessment with a password cracking phase to audit password strength. This means capturing password hashes (with proper authorization) and performing offline cracking to see how resistant the current policies and implementations really are. It provides concrete, measurable evidence of how long it would take an attacker to crack passwords, which directly informs how effective the password policy is. This approach gives you actionable insights you can use to improve security, such as enforcing longer passwords, complexity requirements, password rotation policies, and better hashing schemes. It also avoids the unpredictability and potential disruption of live password-guessing attempts, and it stays within a controlled, repeatable methodology. Relying on social engineering to obtain credentials mixes in ethical and legal concerns and doesn’t yield a controlled measure of password strength. Testing only non-production systems fails to reveal weaknesses in production controls, and ignoring password security altogether leaves a critical control unchecked.

Understanding password security requires more than just guessing passwords during a live test. The recommended approach is to augment the assessment with a password cracking phase to audit password strength. This means capturing password hashes (with proper authorization) and performing offline cracking to see how resistant the current policies and implementations really are. It provides concrete, measurable evidence of how long it would take an attacker to crack passwords, which directly informs how effective the password policy is.

This approach gives you actionable insights you can use to improve security, such as enforcing longer passwords, complexity requirements, password rotation policies, and better hashing schemes. It also avoids the unpredictability and potential disruption of live password-guessing attempts, and it stays within a controlled, repeatable methodology.

Relying on social engineering to obtain credentials mixes in ethical and legal concerns and doesn’t yield a controlled measure of password strength. Testing only non-production systems fails to reveal weaknesses in production controls, and ignoring password security altogether leaves a critical control unchecked.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy