I’ve always been a fan of Acunetix Web Vulnerability Scanner. It’s a lesser-known tool that packs a big punch. One of its most redeeming qualities is its password checking. As I mentioned in this post, Acunetix Web Vulnerability Scanner took what was going to be a basic assessment of an Outlook Web Access system with very few findings up many notches into a true penetration of the system…all thanks to the built-in password checks it does by default.
I’ve since had other scenarios where it has done the same thing and left me wondering why are other scanners finding these holes!?
The following screenshot shows some of the Acunetix Web Vulnerability Scanner password check policy settings.
The scanner not only checks for weak Web passwords but also weak FTP, POP3, SMTP, and telnet, and others as well.
I’m still waiting for some good brute-force checks built into these tools (a la Brutus) and – especially – better handling of login forms. If/when this occurs I honestly think we could eliminate a huge chunk of the directly-exploitable Web flaws out there. In fact, I’m really surprised that other scanners aren’t doing more in this area.
I’m confident that many – if not most – Web sites/apps that are deemed “secure” are just one weak password away from getting hacked…the weak passwords are there, they’re just being overlooked. Unless and until we start seeing better password-cracking capabilities built into all mainstream Web vulnerability scanners this flaw will remain and surface its ugly head in any given system. It’s just a matter of time.