detecting lame passwords

[G]

I know that the standard disclaimers apply: running certain security
auditing tools without permission may be criminally prosecutable, and at
least grounds for termination. With that happy thought in mind, what tools
would you recommend for finding who has a weak password? I've explained that
Winter07 is not a good password, but since Windows will accept it, I think
that some kind of auditing is my next prudent step.

Recommended products for preventing this in the first place are welcome as
well. But presenting a user with their password as evidence that they chose
a weak password seems to be hard to argue with.

My assumption is that such a tool would run under the admin account, and
that the tool itself should secured to said account.
________
Greg Stigers, MCSA
remember to vote for the answers you like

 

[Vladimir Katalov]

"G" wrote in message
news:%23VRAZrZbIHA.4208@TK2MSFTNGP04.phx.gbl...
>I know that the standard disclaimers apply: running certain security
>auditing tools without permission may be criminally prosecutable, and at
>least grounds for termination. With that happy thought in mind, what tools
>would you recommend for finding who has a weak password? I've explained
>that Winter07 is not a good password, but since Windows will accept it, I
>think that some kind of auditing is my next prudent step.
>
> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they
> chose a weak password seems to be hard to argue with.
>
> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.

Please try Proactive Password Auditor, probably that's what you need:

http://www.elcomsoft.com/ppa.html

--
Sincerely yours,
Vladimir

Vladimir Katalov
CEO
ElcomSoft Co.Ltd.
mailto:vkatalov@elcomsoft.com
http://www.elcomsoft.com

 

[Anteaus]

We had this issue, in that users were setting passwords which were ostensibly
'complex' but in fact related to easily-guessable personal attributes, so
were actually weaker than simple but random paswords. Examples might be a
vehicle reg or marque, date of birth, golf club, date and place of football
match, etc. (Or in America, gun type might come high on the list, I guess!)

The only real answer is to allocate passwords. Unfortunately, if you take
this approach, you soon discover that Windows isn't designed to work like
this, and it's considerably more difficult to manage such an arrangement than
one of user-set passwords.

"Vladimir Katalov" wrote:

>
> Please try Proactive Password Auditor, probably that's what you need:
>
> http://www.elcomsoft.com/ppa.html

 

[Al Dunbar]

"G" wrote in message
news:%23VRAZrZbIHA.4208@TK2MSFTNGP04.phx.gbl...
>I know that the standard disclaimers apply: running certain security
>auditing tools without permission may be criminally prosecutable, and at
>least grounds for termination. With that happy thought in mind, what tools
>would you recommend for finding who has a weak password? I've explained
>that Winter07 is not a good password, but since Windows will accept it, I
>think that some kind of auditing is my next prudent step.

That might not actually be that bad a password - in 2008!

> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they
> chose a weak password seems to be hard to argue with.

Considering that users do not generally understand how passwords work, and
most of mine have the idea that I simply know everybody's password, or can
look it up with my privileged account, I'd say that might be an argument
that is hard to argue for, not against.

And further, demonstrating that you can do this will not augur well for the
good faith you have hopefully built up with your users, and with your
company. The next time someone gets the idea that the content of one of
their documents has been leaked, guess who will come to mind as the most
likely suspect? The person who can figure out all passwords, thereby being
able to logon to user accounts completely anonymously.

> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.

I would rather see it kept out of the network altogether. I think there are
programs that can analyze password strength, but WITHOUT actually
determining what the passwords are.

But where you say "the admin account", do people in your organization
actually log on to the built-in "Administrator" account? Now *there* is a
vulnerability you should stamp out right away.


/Al

 

[Al Dunbar]

"Anteaus" wrote in message
news:F706153A-CA19-403A-8E91-91B3D6591E1F@microsoft.com...
> We had this issue, in that users were setting passwords which were
> ostensibly
> 'complex' but in fact related to easily-guessable personal attributes, so
> were actually weaker than simple but random paswords. Examples might be a
> vehicle reg or marque, date of birth, golf club, date and place of
> football
> match, etc. (Or in America, gun type might come high on the list, I
> guess!)
>
> The only real answer is to allocate passwords.

Not sure what you mean, but it sounds as if you would be generating complex
passwords and giving them out to the users. The trouble with that is, how
can it be guaranteed that the user is the only person who will ever find out
what the password is? And then you'd either have to let them use the same
password forever, or go through the whole process periodically.

> Unfortunately, if you take
> this approach, you soon discover that Windows isn't designed to work like
> this, and it's considerably more difficult to manage such an arrangement
> than
> one of user-set passwords.

And a good thing, too. Yes, users will generally try to come up with an easy
to remember password, a feature that also tends to make them easily
guessable. Or they will write it down because they cannot remember it. The
only solution I can think of is to educate the users as to the importance of
choosing complex passwords.

/Al

>
> "Vladimir Katalov" wrote:
>
>>
>> Please try Proactive Password Auditor, probably that's what you need:
>>
>> http://www.elcomsoft.com/ppa.html
>

 

[Anteaus]

Bottom line is, even at Fort Knox they have to trust someone with the key.

Though, I'm amazed how ready management are to give-out Admin passwords to
visiting IT guys from software companies. It presumably doesn't occur to them
than any Admin can create a second Admin account, so changing the password
after he/she has left won't necessarily revoke their priveleges.

"Al Dunbar" wrote:


> But where you say "the admin account", do people in your organization
> actually log on to the built-in "Administrator" account? Now *there* is a
> vulnerability you should stamp out right away.

 

[Mick Murphy]

http://ophcrack.sourceforge.net/

http://home.eunet.no/~pnordahl/ntpasswd/

These 2 are good.


--
Mick Murphy - Qld - Australia


"G" wrote:

> I know that the standard disclaimers apply: running certain security
> auditing tools without permission may be criminally prosecutable, and at
> least grounds for termination. With that happy thought in mind, what tools
> would you recommend for finding who has a weak password? I've explained that
> Winter07 is not a good password, but since Windows will accept it, I think
> that some kind of auditing is my next prudent step.
>
> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they chose
> a weak password seems to be hard to argue with.
>
> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.
> ________
> Greg Stigers, MCSA
> remember to vote for the answers you like
>
>
>

 

[Al Dunbar]

If they really want to portray a professional image, those visiting IT guys
from software companies should tell their hosts that this is something they
should not be doing and if the password had already been revealed to them
should insist that the password be immediately changed to avoid a lawsuit
when it is suspected they might have done something illegal with the
knowledge. Whenever a user tells me their password, I immediately change it
and force them to login to change it.

I rather suspect that there is no single key to fort knox, but that each one
accessing it has his/her own swipe card that gets him/her into only those
places he/she is authorized. And on top of this, all uses of the swipe
card/key are likely tracked and audited.

Same in a domain, where each person authorized should be given their own
personal account with whatever rights and privileges they are authorized to
have. And this should also be the case for anyone expected to carry out
admin duties and needing a high level of privilege. Should one of these go
rogue, their account can be disabled without affecting other users or
administrators.

Trouble is, when the actual admin account is used, there can be no accurate
auditing of usage *unless* that account's password is known by only one
person. Typically, at least a couple of people know this password, and when
you see the account has logged in you have no way of knowing by whom.

The administrator password should be set to a series of keystroke sequences
entered by different people. They then write their portion down and the
works is placed into a sealed envelope in a secure vault. Now nobody knows
the password, but it is available in the event it is needed. Which will be
never.

/Al

"Anteaus" wrote in message
news:72E51FCA-2F55-4468-B603-25F3D40D80D7@microsoft.com...
> Bottom line is, even at Fort Knox they have to trust someone with the key.
>
> Though, I'm amazed how ready management are to give-out Admin passwords
> to
> visiting IT guys from software companies. It presumably doesn't occur to
> them
> than any Admin can create a second Admin account, so changing the password
> after he/she has left won't necessarily revoke their priveleges.
>
> "Al Dunbar" wrote:
>
>
>> But where you say "the admin account", do people in your organization
>> actually log on to the built-in "Administrator" account? Now *there* is a
>> vulnerability you should stamp out right away.
>

 

[G]

The first tool, ophcrack, requires booting from a CD, and is limited to LM
hashes and NTLM hashes within a limited set of characteristics. Neither
describe our environment. The second requires booting from the CD, and
editing a local password, which is not the same as cracking their domain
password.

What other tools would you recommend for finding who has a weak password?
Since Windows will accept "Password01" as meeting complexity requirements,
and then let the user choose "Password02" when that expires, I think that
some kind of auditing is my next prudent step. Recommended products for
preventing this in the first place are welcome as well. Presenting a user
with their cracked password as evidence seems to be hard to argue with.
________
Greg Stigers, MCSA
remember to vote for the answers you like

 

[Al Dunbar]

"G" wrote in message
news:uUnEccQiIHA.1212@TK2MSFTNGP05.phx.gbl...
> The first tool, ophcrack, requires booting from a CD, and is limited to LM
> hashes and NTLM hashes within a limited set of characteristics. Neither
> describe our environment. The second requires booting from the CD, and
> editing a local password, which is not the same as cracking their domain
> password.
>
> What other tools would you recommend for finding who has a weak password?
> Since Windows will accept "Password01" as meeting complexity requirements,
> and then let the user choose "Password02" when that expires, I think that
> some kind of auditing is my next prudent step. Recommended products for
> preventing this in the first place are welcome as well. Presenting a user
> with their cracked password as evidence seems to be hard to argue with.

If you are going to be running password cracking tools on your system, will
you also be monitoring the system for the use of password cracking tools by
others?

In my organization we understand that we are not supposed to know user
passwords. If someone tells me theirs, I reset it and require them to logon
to change it. The use of password cracking software is considered a
violation of security, regardless who uses it or for what purpose.

As you suggest, even when "strong passwords" are enforced, sequences such as
"Password01" - "Password02", will be allowed and will occur. Strengthening
the enforcement rules will NOT fix this, as this would lead to a smaller
number of allowable passwords, and also make it more likely for people to
write them down. For example, if the password pattern must include multiple
instances of each type of character (uppercase, lowercase, numeric,
punctuation), and if no repeats are allowed, well, you can do the math on
that one...

Let's face it, the system is at the mercy of the users in this, so the best
approach, I think, is to enlist their support. My preference would be to
require a long password, but leave the composition up to the users, and give
them a number of options to help them come up with a password that is strong
but can be remembered. One possibility is the pass-phrase method, but there
may be others. It should also be explained to them what makes passwords
strong.

After you have rubbed a few users' noses in the doggy-doo of their weak
passwords, I suspect that they would indeed fall in line, but that they
would be more likely to write down their passwords. Whatever happens, they
will not see themselves and you as being part of the same team.

/Al