Security Basics mailing list archives
Re: user default password checking tool
From: "Mario A. Spinthiras" <mario () netway com cy>
Date: Sun, 24 Sep 2006 16:58:16 +0300
Josh Parker wrote:
Implementing such a tool wouldn't be the best of options unless the tool knows each user account by name. If it doesn't to check 123 in a password your looking at brute forcing. I do not know how a domain stores passwords but id like to think M$ has taken the big leap of encryption. (forgive me im micro$oft ignorant).If you are in an Windows 2003/2000 domain enviroment, you can simply setup option on the acount to Force a user to change there password upon the next login. To keep the user from using the same password, you can set Password History to remember the last password, (the last 3 passwords is a good recomendation) You can also set it to require complex passwords when they change there password. You can also set the password age, so they have to change it after a sertain amount of days. Hope that helps JOsh On 9/14/06, vijay shetti <vijay.shetti () gmail com> wrote:hello all!! In my company when we create a new user he is given an initial password.But then he is told to change the password.The password is initial of the employee name followed by 123.. for vijay shetti it willl be vs123... We have a domain based environment.I want to check now how many users have not changed their initial password using some tool that gives me list of usernames whose password has 123 in the end. We follow the same procedure for creating outlook mail password.If there is any tool/script that also helps me find out this then it will greatly help me. Waiting for your reply, Pavan.---------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus------------------------------------------------------------------------------------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
If I were to do it id do something like this :Create a script that logs on to the domain controller , gets a list of users , and their names. E.G
Mario Spinthiras login: mario.s pass: xj1KZH0VAw4koThen my script would break the name into an array , take the first array entry and grab its leftmost character , i.e array[0] would be Mario , so we take left(mario,0) which would mean M.
Then do the same with the Surname , in order to get "S". Then add them together in a string like this with a trailing 123 = MS123Then try to auth it with the encrypted password you have. If it matches , then the user must change his/her password.
If it does not match , then the user has changed his/her password.Simply loop this on all accounts and it should be fine. Use VBS or something. Perl should help too.
Its as simple as it sounds. Many Thanks, Mario A. Spinthiras --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: user default password checking tool, (continued)
- Re: user default password checking tool badz (Sep 18)
- RE: user default password checking tool Dixon, Wayne (Sep 18)
- Re: user default password checking tool Raoul Armfield (Sep 18)
- RE: user default password checking tool Greg Jones (Sep 18)
- Re: user default password checking tool PCSC Information Services (Sep 18)
- Re: user default password checking tool Josh Parker (Sep 22)
- Re: user default password checking tool Alexander Bolante (Sep 25)
- Re: user default password checking tool Terry Lowery (Sep 26)
- Re: user default password checking tool Machiavel (Sep 27)
- Re: user default password checking tool Terry Lowery (Sep 27)
- Re: user default password checking tool Alexander Bolante (Sep 25)
- Re: user default password checking tool Mario A. Spinthiras (Sep 25)
- Re: user default password checking tool Ahmouda (Sep 29)