It goes mostly to my first statement: “If you have password rules set up, there shouldn’t _be_ any weak passwords.”

If you don’t allow weak passwords via rule, then what’s the point of checking for them? And if there are ways to bypass password rules, then where’s the comfort in checking for weak passwords? I.e., if the rules of the OS can be bypassed, there are far more serious issues.

Set rules that enforce strong passwords. When the rules are set, expire passwords and force strong passwords to be set (or better, start out that way). Once done, what is there to check? If OS rules are suspect, then it’s also suspect that a password checking tool can be secured.

If I set the rules and I trust my OS, then I don’t need to check and I _do_ know my users are acting responsibly.

That’s my basic reasoning, but there’s obviously opinion mixed in.

Tom

If you’re responsible for it, wouldn’t you want to know that the users on YOUR system were acting responsibly?

Thanks,

Bob

If you have password rules set up, there shouldn’t _be_ any weak passwords. If you don’t have rules set up, then weak passwords will show up regularly.

Personally, I wouldn’t allow any password cracking software near any system I was responsible for; fortunately, I’m not responsible for any Windows systems other than my own workstation.

As for PWDUMP3, you might want to review this item from the author of PWDUMP2:

http://www.cotse.com/mailing-lists/ntbugtraq/2001/Jan/0009.html

Tom

I checked Lophts website (atstake.com) and would you believe they were bought out by Symantec? No more free downloads there of course.

Fortunately you can download PWDUMP3 at http://www.polivec.com/site_map.htm .

Scroll down to the bottom where you will be able to download PWDUMP3.

Chris Weber
Layer9corp.com

I am not sure if it’s still there however but it should be.

Chris Weber
Layer9corp.com

I’ve seen plenty of examples where users were forced to change their passwords on a monthly basis, requiring strong passwords, including password history that prevented them from alternating between passwords, all you had to do was look for post-its in the top drawer, under the keyboard or even on the monitor in clear view.

Education of the users on password security etc. is the most important step.

Just my 2 cents.

I have over 80 word lists/dictionaries in a large number of languages (we are an international company) that I use in my LC runs. If the user has a password consisting of a dictionary word with a couple of numbers or special characters tacked on, even special characters, I can break it very quickly. LC is running on a fast desktop with a lot of memory.

To your question, if you cannot use pwdump, just use LC to remotely import the pwd dump. From Import, use Remote Import, add your DC server and supply the correct credentials – LC will add an agent to the server and collect the hashes. There are also tools to sniff passwords off the network, grab SAM files, etc. that LC can import.

Due to the way passwords are hashed in MS, a very strong password has a special character in any of positions 2 through 5 (and 10 through 13 if you use nice long passwords). Since you have LC5 now, play with passwords and see what I mean.

Number 1 is to educate your users, then use tools like LC5 and the policies on your system to ensure compliance.

Hope this helps.
CheckSix