John Hinton wrote: > On 6/30/2010 8:54 PM, John Jasen wrote: >> Well, I'm a security admin, so of course protection is more important >> than utility! :) >> >> But seriously, the assessment tools provide information on your >> environment, based on certain standard metrics. Its (HOPEFULLY! PCI >> compliance notwithstanding ....) up to the people who end up reading >> them to fix the environment, determine that its not a problem, or accept >> the risk that was discovered. >> >> > Sorry to drag this back out to the front... I've been beyond busy and > just now catching up. > > One of the things that is blaring to me in these 'security' scans is > that there is no check of passwords. We can jump through every hoop in > the world to provide a 'secure' environment, yet without 'verifying' > with the client a quality password and password policy, this is simply a > moot point. Yes, one would hope... but if they don't check this how do > they know? I have had requests for password changes to the most ignorant > and guessable things. We don't allow any of our users to set their > passwords, but I do wonder about these supposedly 'secure' sites. Well, security assessment tools should just be a part of your holistic security posture. Hopefully, if passwords are a concern, you've set requirements for complex password in your authentication system, and are routinely running password scans against them. FWIW, nessus does have a check for stupid default passwords for default accounts. -- -- John E. Jasen (jjasen at realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire