The Ec council considers good old fashion password cracking as still the best place to focus on.  If there is no exploitable vulnerability or miss configured network, password cracking is still your best place to put your attention.

    I am finding that more and more people are getting away from just using a simple dictionary word for their passwords. Often they at least add a number to the word, i.e. cherry11.  Often those numbers might have a meaning like their birthday. All in all, in my experience cracking passwords with just a simple dictionary attack is getting less productive.  The only good thing is a dictionary attack is fast to do and quickly see if you need to go to stronger methods. 

     The most common password problem I encounter is not so much that they are so easy to crack, but once you do reveal it, you have access to everything that uses has.  Most people use the same password for everything!  What makes that practice a vulnerability is you never know where you might give it up.  Sure, the admin is very careful when he logs onto to his server, but is he as careful when he checks his email from my house with my computer?  How many passwords does he maintain, perhaps one or two for everything?  Imagine placing a hard ware key logger on the general access computer at the hotel lobby you are staying at and see the results you have. 

    I am wondering if other pen testers here have had the same experience with the general public.  Once you have their password, most everything else they have is yours.  Online Banking, email, pcanywhere,etc..

  At the keynote at RSA Conference [in February 2004], Bill Gates basically said that usernames and passwords are dead.