Legal agreements for password audits.
#1
For those of you performing password audits for clients. What do your contracts for service look like? Our legal counsel is having an issue with us providing this service due to "privacy" issues. I think they are mostly worried about what would happen if the information got out post audit. Not by fault of our own, but by someone placing blame because they were aware of the audit. Any comments are appreciated.
#2
Not sure if this is interessting for you, but all hashcat versions support setting the outfile format. I've added a special outfile format =1 for pentesters that ill only print the cracked hash but not the plaintext. So you know that the hash was weak since you were able to crack it, but you do not have the actual password nor is it stored in the outfile or the potfile.
#3
Thanks atom, this does help some as one of my next things to do was work on a bash script to do this with the results. However, I think they are also concerned about the raw hashes being obtained. It seems as if the pentesting world is being cracked down on by legal "privacy" issues, which is too bad as the whole purpose is to help.