As long as you have all accounts set up with /flags=(NODISPWDDIC,NODISPWDHIS) and you haven't weakened the password dictionary, or reduced the time before passwords can be reused, about the only thing that guessing passwords will find are passwords that have been entered by privileged users at the UAF prompt, which bypasses any history or dictionary lookups. In other words, if user JOEKID has /PWDMINIMUM=8 /FLAGS=(NODISPWDDIC,NODISPWDHIS), a privileged user can still use the following command to change the password to "SECRET", even though it isn't allowed by the password dictionary and does not meet the minimum password length.
$ mcr authorize modify joekid/pass=secret/nopwde
You can detect these changes with authorization auditing, but there are other ways that privileged users can modify passwords without the changed showing up in audit journal as an authorization event.
If you want to detect all password changes, you could take a periodic snapshot of the SYSUAF file and have a program compare the password and salt fields to see if they had changed, and then verify that there are audit records for the changed passwords.
If you want to find passwords, methods other than brute force guessing are probably easier. Social engineering, looking under people's keyboards, in their top shelf, on their calendar or sticky notes will probably yield more than a brute force scan of the SYSUAF file. If telnet or ftp is being used, WireShark or easily found password sniffing programs are the easiest way.
Procedures to attempt to guess passwords, in my opinion, do more to provide a false sense of security than to actually improve it.
If truly strong passwords are enforced, the likelihood of finding passwords written (in easily found locations) increases.
In summary, you can put great lock on a screen door, but it doesn't provide much real protection.
Just my opinion.
Jon
it depends
