user password auditing

0 pts.
Tags:
Access control
Application security
backdoors
Biometrics
Browsers
Compliance
configuration
CRM
Current threats
Database
Digital certificates
Disaster Recovery
Encryption
filtering
Firewalls
Forensics
Hacking
human factors
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
patching
PEN testing
Platform Security
Policies
provisioning
Risk management
Secure Coding
Security
Security Program Management
Security tokens
Servers
Single sign-on
Spyware
SSL/TLS
Trojans
Viruses
VPN
vulnerability management
Web security
Wireless
worms
We have recently purchased LC5 to perform password audits to discover weak passwords. The documentation indicates to use PWDUMP3 to extract password hashes from the Active Directory. I have looked everywhere and cannot find a legitimate site to download this tool nor can I find documentation. Has anyone ever used this tool that can shed some light on my frustration? Thanks Theresa
ASKED: October 14, 2005  7:35 AM
UPDATED: October 19, 2005  2:28 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I have never used this utility but I would say you are approaching the problem from the wrong angle. I would change the Password Requirement to Strong Password requirements. More that 8 Charectors and Must use numbers and Capitals (special charectors like !@#$%^&*() never hurt either.)

I would then Set all accounts to require a password change at next login. I would inform the users of the change and I would Audit accounts that are not changed in a timely fashion. You should remove unused accounts. and you should know specificaly your IT accounts.

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • CheckSix
    We use LC5 for the same reason, and have been using it or the older LC's for years. I agree with rfergus28 that you should have strong passwords forced, change passwords regularly forced, etc. but users can still use relatively weak passwords that tools like LC or John-the-Ripper can break in seconds. Example: Password!1 meets the requirements for a strong pasword, but any decent tool can break it very quickly. I have over 80 word lists/dictionaries in a large number of languages (we are an international company) that I use in my LC runs. If the user has a password consisting of a dictionary word with a couple of numbers or special characters tacked on, even special characters, I can break it very quickly. LC is running on a fast desktop with a lot of memory. To your question, if you cannot use pwdump, just use LC to remotely import the pwd dump. From Import, use Remote Import, add your DC server and supply the correct credentials - LC will add an agent to the server and collect the hashes. There are also tools to sniff passwords off the network, grab SAM files, etc. that LC can import. Due to the way passwords are hashed in MS, a very strong password has a special character in any of positions 2 through 5 (and 10 through 13 if you use nice long passwords). Since you have LC5 now, play with passwords and see what I mean. Number 1 is to educate your users, then use tools like LC5 and the policies on your system to ensure compliance. Hope this helps. CheckSix
    15 pointsBadges:
    report
  • woonjas
    Just keep in mind that if you set the password change interval too short, you should also be willing to ban pen & paper (especially post-its) from the company. I've seen plenty of examples where users were forced to change their passwords on a monthly basis, requiring strong passwords, including password history that prevented them from alternating between passwords, all you had to do was look for post-its in the top drawer, under the keyboard or even on the monitor in clear view. Education of the users on password security etc. is the most important step. Just my 2 cents.
    0 pointsBadges:
    report
  • Layer9
    I think everyone missed your actual question. PWDUMP was available on the Lopht website. We used Lopht at one time and we were able to download it off of their website along with our cop of Lophtcrack. I am not sure if it's still there however but it should be. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Layer9
    Theresa I checked Lophts website (atstake.com) and would you believe they were bought out by Symantec? No more free downloads there of course. Fortunately you can download PWDUMP3 at http://www.polivec.com/site_map.htm . Scroll down to the bottom where you will be able to download PWDUMP3. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • TomLiotta
    Theresa: If you have password rules set up, there shouldn't _be_ any weak passwords. If you don't have rules set up, then weak passwords will show up regularly. Personally, I wouldn't allow any password cracking software near any system I was responsible for; fortunately, I'm not responsible for any Windows systems other than my own workstation. As for PWDUMP3, you might want to review this item from the author of PWDUMP2: http://www.cotse.com/mailing-lists/ntbugtraq/2001/Jan/0009.html Tom
    125,585 pointsBadges:
    report
  • Bobkberg
    Tom - I'm curious as to why you said that "I wouldn't allow any password cracking software near any system I was responsible for". If you're responsible for it, wouldn't you want to know that the users on YOUR system were acting responsibly? Thanks, Bob
    1,070 pointsBadges:
    report
  • TomLiotta
    Bob: It goes mostly to my first statement: "If you have password rules set up, there shouldn't _be_ any weak passwords." If you don't allow weak passwords via rule, then what's the point of checking for them? And if there are ways to bypass password rules, then where's the comfort in checking for weak passwords? I.e., if the rules of the OS can be bypassed, there are far more serious issues. Set rules that enforce strong passwords. When the rules are set, expire passwords and force strong passwords to be set (or better, start out that way). Once done, what is there to check? If OS rules are suspect, then it's also suspect that a password checking tool can be secured. If I set the rules and I trust my OS, then I don't need to check and I _do_ know my users are acting responsibly. That's my basic reasoning, but there's obviously opinion mixed in. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following