looking for a webapp bruteforce video for non-techies

> Hi
> Can anyone recommend a video showing how easy it can be to brute force
> a web application that I can show to non-technical people. I want
> something quick and polite - preferably no leet speak banners or that
> type of thing - that I can show to both board level people and just
> generally to friends and family who chose bad passwords for web
> applications.
>
> I've just been with a client who, after being told a dictionary word
> was bad, just put a 3 in instead of an e and thought she was
> completely secure. It didn't help that the password was only 5
> characters!
>
> Thanks
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

>
>> It didn't help that the password was only 5
>> characters!
>
> That may not actually be such a bad password (on balance and in
> context).  Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used).  However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

> Hi
> Can anyone recommend a video showing how easy it can be to brute force
> a web application that I can show to non-technical people. I want
> something quick and polite - preferably no leet speak banners or that
> type of thing - that I can show to both board level people and just
> generally to friends and family who chose bad passwords for web
> applications.
>
> I've just been with a client who, after being told a dictionary word
> was bad, just put a 3 in instead of an e and thought she was
> completely secure. It didn't help that the password was only 5
> characters!
>
> Thanks
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

> -------- Original Message --------
> Subject: RE: looking for a webapp bruteforce video for
> non-techies
> From: "Martin O'Neal" <martin.oneal@...>
> Date: Tue, June 03, 2008 5:01 pm
> To: "Robin Wood" <dninja@...>,  <webappsec@...>,
> "pen-test" <pen-test@...>
>
> > It didn't help that the password was only 5
> > characters!
>
> That may not actually be such a bad password (on balance and in
> context).  Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used).  However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

>> That may not actually be such a bad password (on balance and in
>> context).  Sure it is a dictionary/leet word variant, but five
>> characters actually carry plenty of entropy (if mixed case and numerics
>> are also used).  However, if you have an authentication mechanism that
>> doesn't lock out an account and *allows* brute forcing, it doesn't
>> really matter how strong the password is; given enough
>> universe-lifetimes an attacker will always guess it eventually.
>
> I second Martin's comment.  There's no point in talking to users about
> password selection if the application doesn't A) lock the account after X
> number of failed attempts *AND* B) force password expiration/rotation.
> There's a very basic mathematical formula found in the Department of Defense
> Password Management Guideline[1] that can be used to calculate the risk
> associated with any particular password policy versus brute force guessing.
> Definitely required reading for anyone designing or specifying a password
> authentication mechanism.
>

> Hey there,
> i know this is not what you asked for but if you gonna use such vido
> for your own purposes
> then maybe making one on your own would be a good idea?
> you could focus on things that really matters for you i guess
>
> if i could be any help about tools to use or whatever feel free to contact me :)
>
> cheers
> J.
>
> 2008/6/3 Robin Wood <dninja@...>:
>> Hi
>> Can anyone recommend a video showing how easy it can be to brute force
>> a web application that I can show to non-technical people. I want
>> something quick and polite - preferably no leet speak banners or that
>> type of thing - that I can show to both board level people and just
>> generally to friends and family who chose bad passwords for web
>> applications.
>>
>> I've just been with a client who, after being told a dictionary word
>> was bad, just put a 3 in instead of an e and thought she was
>> completely secure. It didn't help that the password was only 5
>> characters!
>>
>> Thanks
>>
>> Robin
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>> Methodologies & Tools for Web Application Security Assessment
>> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>>
>> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
>> -------------------------------------------------------------------------
>>
>>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

> Hi
> Can anyone recommend a video showing how easy it can be to brute force
> a web application that I can show to non-technical people. I want
> something quick and polite - preferably no leet speak banners or that
> type of thing - that I can show to both board level people and just
> generally to friends and family who chose bad passwords for web
> applications.
>
> I've just been with a client who, after being told a dictionary word
> was bad, just put a 3 in instead of an e and thought she was
> completely secure. It didn't help that the password was only 5
> characters!
>
> Thanks
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

> Hi
> Can anyone recommend a video showing how easy it can be to brute force
> a web application that I can show to non-technical people. I want
> something quick and polite - preferably no leet speak banners or that
> type of thing - that I can show to both board level people and just
> generally to friends and family who chose bad passwords for web
> applications.
>
> I've just been with a client who, after being told a dictionary word
> was bad, just put a 3 in instead of an e and thought she was
> completely secure. It didn't help that the password was only 5
> characters!
>
> Thanks
>
> Robin
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>