From: Ole Martin Dahl (ole.dahl@gmail.com)
Date: Wed May 18 2005 - 12:04:53 EDT
Ĝlstad wrote:
> Hi!
>
> I have this web-based service/directory which offers users access through a username/password-authentication process. I am wondering what if some of the usernames are compromised, and I actually don't want to change the username? Are there any tools able to run some kind of bruteforce-attack or something, against my web-authentication? Other alternatives? Do I really have to consider my whole system as compromised just because a username may be lost?
>
> In addition, does anyone know of any tool that can help me audit the web-server regarding to passwordpolicy, passwordstrength etc.
>
> I appreciate all relevant answers :-)
>
> Very best
>
> R
>
Many tools, including vulnerability scanners [1], can do such
brute-force tests. Dedicated brute-force tools also exist, e.g. [2].
Why are you afraid if the usernames are compromised, usernames should
not be considered secret. The confideniality of the password are the
secret part, maybe you also meant this.
For ċ full web application audit I recommend OWASP as a methodoical
approach.
Regards
Ole Martin Dahl
[1] http://www.nessus.org
[2] http://www.hoobie.net/brutus/
[3] http://www.owasp.org/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT