Security Basics mailing list archives

Re: user default password checking tool

From: "Mario A. Spinthiras" <mario () netway com cy>
Date: Sun, 24 Sep 2006 16:58:16 +0300

Josh Parker wrote:

If you are in an Windows 2003/2000 domain enviroment, you can simply
setup option on the acount to Force a user to change there password
upon the next login. To keep the user from using the same password,
you can set Password History to remember the last password, (the last
3 passwords is a good recomendation) You can also set it to require
complex passwords when they change there password. You can also set
the password age, so they have to change it after a sertain amount of
days.

Hope that helps

JOsh

On 9/14/06, vijay shetti <vijay.shetti () gmail com> wrote:
hello all!!

In my company when we create a new user he is given an initial
password.But then he is told to change the password.The password is
initial of the employee name followed by 123..
for vijay shetti it willl be vs123...

We have a domain based environment.I want to check now how many users
have not changed their initial password using some tool that gives me
list of usernames whose password has 123 in the end.


We follow the same procedure for creating outlook mail password.If
there is any tool/script that also helps me find out this then it will
greatly help me.


Waiting for your reply,
Pavan.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of AcademicExcellencein Information Security. Our program offers unparalleled Infosecmanagementeducation and the case study affords you unmatched consultingexperience.Using interactive e-Learning technology, you can earn this esteemeddegree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of AcademicExcellence in Information Security. Our program offers unparalleledInfosec management education and the case study affords you unmatchedconsulting experience. Using interactive e-Learning technology, youcan earn this esteemed degree, without disrupting your career or homelife.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Implementing such a tool wouldn't be the best of options unless the toolknows each user account by name. If it doesn't to check 123 in apassword your looking at brute forcing. I do not know how a domainstores passwords but id like to think M$ has taken the big leap ofencryption. (forgive me im micro$oft ignorant).


If I were to do it id do something like this :

Create a script that logs on to the domain controller , gets a list ofusers , and their names. E.G


Mario Spinthiras      login: mario.s   pass: xj1KZH0VAw4ko

Then my script would break the name into an array , take the first arrayentry and grab its leftmost character , i.e array[0] would be Mario , sowe take left(mario,0) which would mean M.


Then do the same with the Surname , in order to get "S".

Then add them together in a string like this with a trailing 123 = MS123

Then try to auth it with the encrypted password you have. If it matches, then the user must change his/her password.


If it does not match , then the user has changed his/her password.

Simply loop this on all accounts and it should be fine. Use VBS orsomething. Perl should help too.


Its as simple as it sounds.


Many Thanks,
Mario A. Spinthiras

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: user default password checking tool, (continued)
- - Re: user default password checking tool badz (Sep 18)
  - RE: user default password checking tool Dixon, Wayne (Sep 18)
- Re: user default password checking tool Raoul Armfield (Sep 18)
- RE: user default password checking tool Greg Jones (Sep 18)
- Re: user default password checking tool PCSC Information Services (Sep 18)
- Re: user default password checking tool Josh Parker (Sep 22)
  - Re: user default password checking tool Alexander Bolante (Sep 25)
    - Re: user default password checking tool Terry Lowery (Sep 26)
    - Re: user default password checking tool Machiavel (Sep 27)
    - Re: user default password checking tool Terry Lowery (Sep 27)
  - Re: user default password checking tool Mario A. Spinthiras (Sep 25)
    - Re: user default password checking tool Ahmouda (Sep 29)
- Re: user default password checking tool Josh Parker (Sep 25)
- RE: user default password checking tool Beauford, Jason (Sep 15)
- Re: user default password checking tool krymson (Sep 19)