Requirements that cannot be implemented can be anything from minimum/maximum length and complexity settings to non-measurable requirements such as “never use the same password at work as you use at home” or “do not use any word from any existing language today as whole or part of your password”.
In almost any case, there will be differences between the written policy, and the technical implementation of the policy, in any system. Obviously, this really doesn’t aid end users in choosing and maintaining good passwords, as there will be various settings forcing them to have different passwords and different change frequencies from system to system.
Most auditors will conduct random samples to verify if the technical implementation equals the written policy. Unfortunately they will usually accept most deviations based on technical issues, as explained by system maintainers. Some auditors may check random accounts for “password last set” and “last logon” information, in order to get a quick impression of the overall account maintenance status, eventually mixing that with at list of ex-employees to verify if their accounts has been disabled and/or removed.
What they won’t do is any type of password cracking to sample the compliance of passwords against the technical or the written password policy. From my point of view the results from the audit performed will be pretty close to worthless. You really will have no idea about the real risk level you are facing.
Consider this: If the written and/or technical implementation of a password policy gets changed, it may take months, years and even decades before all accounts has their passwords changed in accordance to the new policy. This is especially true for environments where software for complete account management are not in use. (This is true for most environments i have ever audited through 13+ years).
This is a major reason for why you should do proactive password audits. Doing password audits on your own systems will effectively help you with verifying password compliance against the written password policy. This is the best way of finding the weak spots, such as accounts where the password equals the username (a very common finding everywhere actually). You are simply blind to the risk of bad passwords as long as you don’t audit them properly.
In fact, i would say that any auditor that is not capable of performing such an audit upon request is simply not good enough. Their audit will not provide the necessary input needed for you to make real-life risk assessments and perform the necessary steps to reduce the risk accordingly.
Good luck with your next password audit!
Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://Twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com. Comments and questions are of course welcome!