Guest G Posted February 12, 2008 Posted February 12, 2008 I know that the standard disclaimers apply: running certain security auditing tools without permission may be criminally prosecutable, and at least grounds for termination. With that happy thought in mind, what tools would you recommend for finding who has a weak password? I've explained that Winter07 is not a good password, but since Windows will accept it, I think that some kind of auditing is my next prudent step. Recommended products for preventing this in the first place are welcome as well. But presenting a user with their password as evidence that they chose a weak password seems to be hard to argue with. My assumption is that such a tool would run under the admin account, and that the tool itself should secured to said account. ________ Greg Stigers, MCSA remember to vote for the answers you like Quote
Guest Vladimir Katalov Posted February 13, 2008 Posted February 13, 2008 "G" <gregstigers+w@spamcop.net> wrote in message news:%23VRAZrZbIHA.4208@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> >I know that the standard disclaimers apply: running certain security >auditing tools without permission may be criminally prosecutable, and at >least grounds for termination. With that happy thought in mind, what tools >would you recommend for finding who has a weak password? I've explained >that Winter07 is not a good password, but since Windows will accept it, I >think that some kind of auditing is my next prudent step. > > Recommended products for preventing this in the first place are welcome as > well. But presenting a user with their password as evidence that they > chose a weak password seems to be hard to argue with. > > My assumption is that such a tool would run under the admin account, and > that the tool itself should secured to said account.</span> Please try Proactive Password Auditor, probably that's what you need: http://www.elcomsoft.com/ppa.html -- Sincerely yours, Vladimir Vladimir Katalov CEO ElcomSoft Co.Ltd. mailto:vkatalov@elcomsoft.com http://www.elcomsoft.com Quote
Guest Anteaus Posted February 13, 2008 Posted February 13, 2008 We had this issue, in that users were setting passwords which were ostensibly 'complex' but in fact related to easily-guessable personal attributes, so were actually weaker than simple but random paswords. Examples might be a vehicle reg or marque, date of birth, golf club, date and place of football match, etc. (Or in America, gun type might come high on the list, I guess!) The only real answer is to allocate passwords. Unfortunately, if you take this approach, you soon discover that Windows isn't designed to work like this, and it's considerably more difficult to manage such an arrangement than one of user-set passwords. "Vladimir Katalov" wrote: <span style="color:blue"> > > Please try Proactive Password Auditor, probably that's what you need: > > http://www.elcomsoft.com/ppa.html</span> Quote
Guest Al Dunbar Posted February 15, 2008 Posted February 15, 2008 "G" <gregstigers+w@spamcop.net> wrote in message news:%23VRAZrZbIHA.4208@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> >I know that the standard disclaimers apply: running certain security >auditing tools without permission may be criminally prosecutable, and at >least grounds for termination. With that happy thought in mind, what tools >would you recommend for finding who has a weak password? I've explained >that Winter07 is not a good password, but since Windows will accept it, I >think that some kind of auditing is my next prudent step.</span> That might not actually be that bad a password; - in 2008! <span style="color:blue"> > Recommended products for preventing this in the first place are welcome as > well. But presenting a user with their password as evidence that they > chose a weak password seems to be hard to argue with.</span> Considering that users do not generally understand how passwords work, and most of mine have the idea that I simply know everybody's password, or can look it up with my privileged account, I'd say that might be an argument that is hard to argue for, not against. And further, demonstrating that you can do this will not augur well for the good faith you have hopefully built up with your users, and with your company. The next time someone gets the idea that the content of one of their documents has been leaked, guess who will come to mind as the most likely suspect? The person who can figure out all passwords, thereby being able to logon to user accounts completely anonymously. <span style="color:blue"> > My assumption is that such a tool would run under the admin account, and > that the tool itself should secured to said account.</span> I would rather see it kept out of the network altogether. I think there are programs that can analyze password strength, but WITHOUT actually determining what the passwords are. But where you say "the admin account", do people in your organization actually log on to the built-in "Administrator" account? Now there is a vulnerability you should stamp out right away. /Al Quote
Guest Al Dunbar Posted February 15, 2008 Posted February 15, 2008 "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message news:F706153A-CA19-403A-8E91-91B3D6591E1F@microsoft.com...<span style="color:blue"> > We had this issue, in that users were setting passwords which were > ostensibly > 'complex' but in fact related to easily-guessable personal attributes, so > were actually weaker than simple but random paswords. Examples might be a > vehicle reg or marque, date of birth, golf club, date and place of > football > match, etc. (Or in America, gun type might come high on the list, I > guess!) > > The only real answer is to allocate passwords.</span> Not sure what you mean, but it sounds as if you would be generating complex passwords and giving them out to the users. The trouble with that is, how can it be guaranteed that the user is the only person who will ever find out what the password is? And then you'd either have to let them use the same password forever, or go through the whole process periodically. <span style="color:blue"> > Unfortunately, if you take > this approach, you soon discover that Windows isn't designed to work like > this, and it's considerably more difficult to manage such an arrangement > than > one of user-set passwords.</span> And a good thing, too. Yes, users will generally try to come up with an easy to remember password, a feature that also tends to make them easily guessable. Or they will write it down because they cannot remember it. The only solution I can think of is to educate the users as to the importance of choosing complex passwords. /Al <span style="color:blue"> > > "Vladimir Katalov" wrote: ><span style="color:green"> >> >> Please try Proactive Password Auditor, probably that's what you need: >> >> http://www.elcomsoft.com/ppa.html</span> > </span> Quote
Guest Anteaus Posted February 19, 2008 Posted February 19, 2008 Bottom line is, even at Fort Knox they have to trust someone with the key. Though, I'm amazed how ready management are to give-out Admin passwords to visiting IT guys from software companies. It presumably doesn't occur to them than any Admin can create a second Admin account, so changing the password after he/she has left won't necessarily revoke their priveleges. "Al Dunbar" wrote: <span style="color:blue"> > But where you say "the admin account", do people in your organization > actually log on to the built-in "Administrator" account? Now there is a > vulnerability you should stamp out right away.</span> Quote
Guest Mick Murphy Posted February 20, 2008 Posted February 20, 2008 http://ophcrack.sourceforge.net/ http://home.eunet.no/~pnordahl/ntpasswd/ These 2 are good. -- Mick Murphy - Qld - Australia "G" wrote: <span style="color:blue"> > I know that the standard disclaimers apply: running certain security > auditing tools without permission may be criminally prosecutable, and at > least grounds for termination. With that happy thought in mind, what tools > would you recommend for finding who has a weak password? I've explained that > Winter07 is not a good password, but since Windows will accept it, I think > that some kind of auditing is my next prudent step. > > Recommended products for preventing this in the first place are welcome as > well. But presenting a user with their password as evidence that they chose > a weak password seems to be hard to argue with. > > My assumption is that such a tool would run under the admin account, and > that the tool itself should secured to said account. > ________ > Greg Stigers, MCSA > remember to vote for the answers you like > > > </span> Quote
Guest Al Dunbar Posted February 22, 2008 Posted February 22, 2008 If they really want to portray a professional image, those visiting IT guys from software companies should tell their hosts that this is something they should not be doing and if the password had already been revealed to them should insist that the password be immediately changed to avoid a lawsuit when it is suspected they might have done something illegal with the knowledge. Whenever a user tells me their password, I immediately change it and force them to login to change it. I rather suspect that there is no single key to fort knox, but that each one accessing it has his/her own swipe card that gets him/her into only those places he/she is authorized. And on top of this, all uses of the swipe card/key are likely tracked and audited. Same in a domain, where each person authorized should be given their own personal account with whatever rights and privileges they are authorized to have. And this should also be the case for anyone expected to carry out admin duties and needing a high level of privilege. Should one of these go rogue, their account can be disabled without affecting other users or administrators. Trouble is, when the actual admin account is used, there can be no accurate auditing of usage unless that account's password is known by only one person. Typically, at least a couple of people know this password, and when you see the account has logged in you have no way of knowing by whom. The administrator password should be set to a series of keystroke sequences entered by different people. They then write their portion down and the works is placed into a sealed envelope in a secure vault. Now nobody knows the password, but it is available in the event it is needed. Which will be never. /Al "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message news:72E51FCA-2F55-4468-B603-25F3D40D80D7@microsoft.com...<span style="color:blue"> > Bottom line is, even at Fort Knox they have to trust someone with the key. > > Though, I'm amazed how ready management are to give-out Admin passwords > to > visiting IT guys from software companies. It presumably doesn't occur to > them > than any Admin can create a second Admin account, so changing the password > after he/she has left won't necessarily revoke their priveleges. > > "Al Dunbar" wrote: > ><span style="color:green"> >> But where you say "the admin account", do people in your organization >> actually log on to the built-in "Administrator" account? Now there is a >> vulnerability you should stamp out right away.</span> > </span> Quote
Guest G Posted March 18, 2008 Posted March 18, 2008 The first tool, ophcrack, requires booting from a CD, and is limited to LM hashes and NTLM hashes within a limited set of characteristics. Neither describe our environment. The second requires booting from the CD, and editing a local password, which is not the same as cracking their domain password. What other tools would you recommend for finding who has a weak password? Since Windows will accept "Password01" as meeting complexity requirements, and then let the user choose "Password02" when that expires, I think that some kind of auditing is my next prudent step. Recommended products for preventing this in the first place are welcome as well. Presenting a user with their cracked password as evidence seems to be hard to argue with. ________ Greg Stigers, MCSA remember to vote for the answers you like Quote
Guest Al Dunbar Posted March 28, 2008 Posted March 28, 2008 "G" <gregstigers+w@spamcop.net> wrote in message news:uUnEccQiIHA.1212@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > The first tool, ophcrack, requires booting from a CD, and is limited to LM > hashes and NTLM hashes within a limited set of characteristics. Neither > describe our environment. The second requires booting from the CD, and > editing a local password, which is not the same as cracking their domain > password. > > What other tools would you recommend for finding who has a weak password? > Since Windows will accept "Password01" as meeting complexity requirements, > and then let the user choose "Password02" when that expires, I think that > some kind of auditing is my next prudent step. Recommended products for > preventing this in the first place are welcome as well. Presenting a user > with their cracked password as evidence seems to be hard to argue with.</span> If you are going to be running password cracking tools on your system, will you also be monitoring the system for the use of password cracking tools by others? In my organization we understand that we are not supposed to know user passwords. If someone tells me theirs, I reset it and require them to logon to change it. The use of password cracking software is considered a violation of security, regardless who uses it or for what purpose. As you suggest, even when "strong passwords" are enforced, sequences such as "Password01" - "Password02", will be allowed and will occur. Strengthening the enforcement rules will NOT fix this, as this would lead to a smaller number of allowable passwords, and also make it more likely for people to write them down. For example, if the password pattern must include multiple instances of each type of character (uppercase, lowercase, numeric, punctuation), and if no repeats are allowed, well, you can do the math on that one... Let's face it, the system is at the mercy of the users in this, so the best approach, I think, is to enlist their support. My preference would be to require a long password, but leave the composition up to the users, and give them a number of options to help them come up with a password that is strong but can be remembered. One possibility is the pass-phrase method, but there may be others. It should also be explained to them what makes passwords strong. After you have rubbed a few users' noses in the doggy-doo of their weak passwords, I suspect that they would indeed fall in line, but that they would be more likely to write down their passwords. Whatever happens, they will not see themselves and you as being part of the same team. /Al Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.