An anonymous reader writes: I work for a company that hosts an application for one of the US Federal multi letter government agencies. I've just been asked to run "John the Ripper" against the Active Directory (Please no Windows jokes, K?) accounts we setup for them. Not just one or two accounts, but ALL the accounts which are made up of Federal Employee's.
Why? To see if any account is using a weak password. Now mind you we have followed or exceeded all the guidelines they have set before us (password length, complexity, history, age, etc.). The agency is rather paranoid with all the recent leaks of personal information.
When I was asked to do this, warning sirens went off in my head. Can they make me do this? What are the legal ramifications of doing this? Can I be held accountable? My gut is saying "What-ever you do, DON'T DO IT! These are federal employee accounts!". 10 years ago I wouldn't have thought twice about doing this, but with all the new laws that have been passed I'm no sure.
Does anyone have good reference material backing my stance of not doing this. Or am I stuck hacking the accounts?
P.S. I will be calling my attorney in the morning for guidance. They just dropped this on me on my way out the door for the night.