Indentifying end users with weak passwords
I am looking for a product that I can use to identify end users that log into our network (NT4.0 going to Active Directory this summer) using weak passwords. Can anyone help?
Software/Hardware used:
Software/Hardware used:
ASKED:
April 29, 2005 8:22 AM
UPDATED:
May 27, 2005 10:03 AM
RELATED QUESTIONS
- Can I audit Windows active directory passwords to meet complexity rules and not let users have weak passwords?
- Scanning Active Directory for weak passwords
- Blocking password changes until audit is complete
- Directory password protection on Windows Server 2003
- How can I allow a user to sign off from an AS/400 web application from the browser?
Answer Wiki:
L0pht Crack (commercial), John the Ripper (free) both work well.
What you'll have to do is create a backup copy of your security file, (rdisk /s) and then use one of those on the backup (either sam.sav or sam_, I for get which) copy - since the official copy is always locked and open when the O/S is running.
Be prepared to see many of the passwords broken within seconds.
Bob
To see all answers submitted to the Answer Wiki: View Answer History.
There are a couple of different approaches you can take to this:
1. Use the Microsoft Base Security Analyzer. This will find all weak passwords and other security holes associated with your Windows Servers.
2. Apply a security policy right now for passwords, where you need at least 8 digits and variable other criteria. (You’ll find out quick from who is calling in with questions. Kind of backwards, but you might get by with it.)
3. You can write, or find a VBS script that will capture this.
4. You can set something up on your firewall with the help of your Network Admin, or capture it that way.
Hope this helps.
During your migration you may need to reset the users passwords to make sure there desktops migrated. On the release day your users will need to change there passwords at this point have your help desk staff ready for calls from users who can not come up with 8 character Alphanumeric passwords.
If you want to be able to see how many users will be affected by this user the MS security Analyzer at http://www.microsoft.com/technet/security/tools/mbsahome.mspx
It is free. But will not show you the passwords.
L0phtcrack and Jack the Ripper will work and will give you any passwords that it cracks. This could become a policy issue for your company if you cracked the password for the director of HR.
This was a problem for us during our migration. What we did was explain to our end users what makes a secure pass word and a few examples for day one of our migration.
I agree that MBSA will work and it is free.
If you are looking to buy something then Shavlik has a product – Account Inspector. We use Shavlik for our patch management and this came with the Pro Suite.
All good suggestions (I use MBSA and Shavlik myself) HOWEVER:
If you run L0phtCrack or John the Ripper or any other software, program, routine, script, batchfile, etc… (you get the drift) to crack passwords be sure to get both your manager and your manager’s manager to sign off on the activity prior to running the process. There’s nothing worse than performing a process in the name of network security and towards the betterment of the organization, and being dismissed for hacking activity…
I would second poppaman’s advice about clearing any password ‘cracking’ with management. Some employees will be offended. One approach is to point out, to management and employees, that the tool you are using is freely available to ‘bad guys.’
And some employees won’t believe they have weak passwords. This happened to my wife when she ran L0phtCrack in her role as security officer at a secure government facility (i.e. a place where all employees are supposed to understand secrecy). When she emailed employees who had weak passwords, one simply didn’t believe she could have ‘guessed’ his password and came to her office to tell her as much. In order to let him know she knew, without breaking the protocol against revealing passwords, she said “Cock-a-doodle-do!” (yes, his password was rooster). He was stunned.
Discretion being the better part of valor, I would, after getting permission to run a password cracker and finding managers using weak passwords, first use an ‘all hands’ type message about the problem so nobody feels singled out. That message would let folks know that there would be more checks in the future. If those follow-up checks indicate some folks are not changing their ways, then you will have to decide how to deal with them. This will depend on what authority you have, the organizational culture, etc.
I would also second the advice to stand ready with help for people who have difficulty coming up with strong passwords.
Stephen
And there are those users who will glue a postit note to their laptop keyboard with a running list of their current passwords…
Luckily this person(s?) are no longer employed by us – however knowing the above, it kind of raised our eyebrows when the user concerned kicked up a stink regarding unencrypted emails.
Priorities, Priorities, Priorities…
If you happen to use Retina, to check password strength. Be aware that if you are not very careful, you will,,, lock out your entire network within minutes.
Big time – D?Oh!