Indentifying end users with weak passwords

Tags:
Career Development
Networking
Policies
Security management
Tech support
User awareness
I am looking for a product that I can use to identify end users that log into our network (NT4.0 going to Active Directory this summer) using weak passwords. Can anyone help?

Answer Wiki

Thanks. We'll let you know when a new response is added.

L0pht Crack (commercial), John the Ripper (free) both work well.

What you’ll have to do is create a backup copy of your security file, (rdisk /s) and then use one of those on the backup (either sam.sav or sam_, I for get which) copy – since the official copy is always locked and open when the O/S is running.

Be prepared to see many of the passwords broken within seconds.

Bob

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • mnman66
    There are a couple of different approaches you can take to this: 1. Use the Microsoft Base Security Analyzer. This will find all weak passwords and other security holes associated with your Windows Servers. 2. Apply a security policy right now for passwords, where you need at least 8 digits and variable other criteria. (You'll find out quick from who is calling in with questions. Kind of backwards, but you might get by with it.) 3. You can write, or find a VBS script that will capture this. 4. You can set something up on your firewall with the help of your Network Admin, or capture it that way. Hope this helps.
    265 pointsBadges:
    report
  • Spacemonkey
    During your migration you may need to reset the users passwords to make sure there desktops migrated. On the release day your users will need to change there passwords at this point have your help desk staff ready for calls from users who can not come up with 8 character Alphanumeric passwords. If you want to be able to see how many users will be affected by this user the MS security Analyzer at http://www.microsoft.com/technet/security/tools/mbsahome.mspx It is free. But will not show you the passwords. L0phtcrack and Jack the Ripper will work and will give you any passwords that it cracks. This could become a policy issue for your company if you cracked the password for the director of HR. This was a problem for us during our migration. What we did was explain to our end users what makes a secure pass word and a few examples for day one of our migration.
    0 pointsBadges:
    report
  • JamesLambert
    I agree that MBSA will work and it is free. If you are looking to buy something then Shavlik has a product - Account Inspector. We use Shavlik for our patch management and this came with the Pro Suite.
    0 pointsBadges:
    report
  • Poppaman
    All good suggestions (I use MBSA and Shavlik myself) HOWEVER: If you run L0phtCrack or John the Ripper or any other software, program, routine, script, batchfile, etc... (you get the drift) to crack passwords be sure to get both your manager and your manager's manager to sign off on the activity prior to running the process. There's nothing worse than performing a process in the name of network security and towards the betterment of the organization, and being dismissed for hacking activity...
    0 pointsBadges:
    report
  • Scobb99
    I would second poppaman's advice about clearing any password 'cracking' with management. Some employees will be offended. One approach is to point out, to management and employees, that the tool you are using is freely available to 'bad guys.' And some employees won't believe they have weak passwords. This happened to my wife when she ran L0phtCrack in her role as security officer at a secure government facility (i.e. a place where all employees are supposed to understand secrecy). When she emailed employees who had weak passwords, one simply didn't believe she could have 'guessed' his password and came to her office to tell her as much. In order to let him know she knew, without breaking the protocol against revealing passwords, she said "Cock-a-doodle-do!" (yes, his password was rooster). He was stunned. Discretion being the better part of valor, I would, after getting permission to run a password cracker and finding managers using weak passwords, first use an 'all hands' type message about the problem so nobody feels singled out. That message would let folks know that there would be more checks in the future. If those follow-up checks indicate some folks are not changing their ways, then you will have to decide how to deal with them. This will depend on what authority you have, the organizational culture, etc. I would also second the advice to stand ready with help for people who have difficulty coming up with strong passwords. Stephen
    0 pointsBadges:
    report
  • ColinNZ
    And there are those users who will glue a postit note to their laptop keyboard with a running list of their current passwords... Luckily this person(s?) are no longer employed by us - however knowing the above, it kind of raised our eyebrows when the user concerned kicked up a stink regarding unencrypted emails. Priorities, Priorities, Priorities...
    0 pointsBadges:
    report
  • Timbol
    If you happen to use Retina, to check password strength. Be aware that if you are not very careful, you will,,, lock out your entire network within minutes. Big time - D?Oh!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following