Price for PW Audit
#1
What are real life prices for a password Audit.

Lets say:

1. Small StartUp 5-10 Employees
2. 100 User Active Directory
3. Fortune 500 Corp with 50+ Domains and each of them 100+ Users

All the best
scumpii
#2
ONE MILLION DOLLARS
#3
(04-20-2015, 08:49 PM)epixoip Wrote: ONE MILLION DOLLARS
funny
#4
what did you expect
#5
The real life prices for

1. building a house in St. Pete
2. restoring an old Merc
3. a trip to Hawaii for 2

could also be ONE MILLION DOLLAR. Guess you got the point.
#6
(04-20-2015, 12:51 PM)scumpii Wrote: What are real life prices for a password Audit.

Lets say:

1. Small StartUp 5-10 Employees
2. 100 User Active Directory
3. Fortune 500 Corp with 50+ Domains and each of them 100+ Users

All the best
scumpii

In my opinion...
1. $0. Not many companies with 5-10 employees are looking for someone to audit their password, especially when they can easily manually enforce a strict PW policy with so few users if they cared. If the data they were worried about the data they were protecting they would have difficult enough passwords (at least in their minds) to not need someone, and if they had a second thought about it they'd just take 5 minutes out of the day to change those few passwords.

2. $0. Again, companies of this size rarely care about this sort of thing until after the fact, in which case the pw's have been reset and setup a stricter pw policy.

3. Who knows... but I'd say $0 also. This is usually something done by an outfit hired for consultation or to pen test the company infrastructure as a whole, and PW's are just a subset of it - and probably a very small one at that if there is a decent PW strength policy in place. And if there isn't they won't bother to test them unless it was to fluff up "look what a bad could have done, good thing you hired us" report. Instead they'd just request an appropriate policy and reset all the PWs/credentials if the scheme is weak.

End of day, the price is what you're willing to do it for and someone else is willing to pay. Charge your normally hour rate is, be it $20/hr, $100/hr, $200/hr (whatever it is), by the number of hours you'll spend on the project and that's your price... whether anyone pays it who knows.

I don't know how many people make a living doing strictly PW auditing for companies, I would guess not many. PW audits IME from a commercial endeavor are more of subset of complete systems/security auditing. Having someone tell you that your passwords are strong or weak is really useless to the overall goal if you cannot tell your client that your systems/servers are secure. The ability to obtain the hashes generally means the attacker has compromised a system, and often with elevated privileges or the ability to overwrite the hash (ie: SQL Injection), so game over before started...

On most systems where there is any level of security consciousness for people to seek out such services, they typically make it difficult to do a remote brute force on scale (attempting to login a system, even with a known username to start with), either by design or lack of throughput. Plus, such an attack isn't related to HC, so I'm assuming you mean the company providing the hashes for you to compare. So more often than not if hashes are obtained the enemy is already through the gates so to speak. Certainly in some instances strong hashes will help prevent elevation of an attack, but most are concerned with even getting to that point where the hashes are available... which is why commercially I see the true value of this being one piece of a multi faceted audit as opposed to a standalone service. Don't get me wrong though, I'm not saying no one will pay for a false sense of security, but it is tough a pitch to make to anyone remotely familiar with IT and systems and those are the people who will have input on the decision since they're the ones who undoubtedly have to package up all the hashes to give to you.

That's my take on it anyways. But if people are actually selling PW Audits like hotcakes I'd love to hear about it and find out how to monetize some of my research interests.