Comments on: Indentifying end users with weak passwords

By: timbol

timbol — Fri, 27 May 2005 10:03:33 +0000

If you happen to use Retina, to check password strength. Be aware that if you are not very careful, you will,,, lock out your entire network within minutes.

Big time – D?Oh!

By: colinnz

colinnz — Thu, 26 May 2005 07:37:35 +0000

And there are those users who will glue a postit note to their laptop keyboard with a running list of their current passwords…

Luckily this person(s?) are no longer employed by us – however knowing the above, it kind of raised our eyebrows when the user concerned kicked up a stink regarding unencrypted emails.

Priorities, Priorities, Priorities…

By: scobb99

scobb99 — Tue, 24 May 2005 11:22:37 +0000

I would second poppaman’s advice about clearing any password ‘cracking’ with management. Some employees will be offended. One approach is to point out, to management and employees, that the tool you are using is freely available to ‘bad guys.’

And some employees won’t believe they have weak passwords. This happened to my wife when she ran L0phtCrack in her role as security officer at a secure government facility (i.e. a place where all employees are supposed to understand secrecy). When she emailed employees who had weak passwords, one simply didn’t believe she could have ‘guessed’ his password and came to her office to tell her as much. In order to let him know she knew, without breaking the protocol against revealing passwords, she said “Cock-a-doodle-do!” (yes, his password was rooster). He was stunned.

Discretion being the better part of valor, I would, after getting permission to run a password cracker and finding managers using weak passwords, first use an ‘all hands’ type message about the problem so nobody feels singled out. That message would let folks know that there would be more checks in the future. If those follow-up checks indicate some folks are not changing their ways, then you will have to decide how to deal with them. This will depend on what authority you have, the organizational culture, etc.

I would also second the advice to stand ready with help for people who have difficulty coming up with strong passwords.

Stephen

By: poppaman

poppaman — Sun, 08 May 2005 09:12:23 +0000

All good suggestions (I use MBSA and Shavlik myself) HOWEVER:

If you run L0phtCrack or John the Ripper or any other software, program, routine, script, batchfile, etc… (you get the drift) to crack passwords be sure to get both your manager and your manager’s manager to sign off on the activity prior to running the process. There’s nothing worse than performing a process in the name of network security and towards the betterment of the organization, and being dismissed for hacking activity…

By: jameslambert

jameslambert — Mon, 02 May 2005 13:38:16 +0000

I agree that MBSA will work and it is free.

If you are looking to buy something then Shavlik has a product – Account Inspector. We use Shavlik for our patch management and this came with the Pro Suite.

By: spacemonkey

spacemonkey — Mon, 02 May 2005 07:47:05 +0000

During your migration you may need to reset the users passwords to make sure there desktops migrated. On the release day your users will need to change there passwords at this point have your help desk staff ready for calls from users who can not come up with 8 character Alphanumeric passwords.
If you want to be able to see how many users will be affected by this user the MS security Analyzer at http://www.microsoft.com/technet/security/tools/mbsahome.mspx
It is free. But will not show you the passwords.
L0phtcrack and Jack the Ripper will work and will give you any passwords that it cracks. This could become a policy issue for your company if you cracked the password for the director of HR.

This was a problem for us during our migration. What we did was explain to our end users what makes a secure pass word and a few examples for day one of our migration.

By: mnman66

mnman66 — Sun, 01 May 2005 16:15:09 +0000

There are a couple of different approaches you can take to this:
1. Use the Microsoft Base Security Analyzer. This will find all weak passwords and other security holes associated with your Windows Servers.
2. Apply a security policy right now for passwords, where you need at least 8 digits and variable other criteria. (You’ll find out quick from who is calling in with questions. Kind of backwards, but you might get by with it.)
3. You can write, or find a VBS script that will capture this.
4. You can set something up on your firewall with the help of your Network Admin, or capture it that way.

Hope this helps.