PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Tools for password analysis

From: cmilte at gmail.com (Chris Miltenberger)
Date: Sat, 28 Nov 2009 12:18:47 -0600
2. A custom password filter can be written that works in conjunction with,
or as a replacement for, the password complexity GPO as well as some of the
other password policy settings. The password filter we use requires a
minimum password length of 8 characters consisting of at least one character
from 3 of 4 categories (uppercase letter, lowercase letter, number, special
character). Due to an enterprise application we run the special characters
we can use are limited, so the filter is set up to reject passwords with
unusable characters. We also reject passwords that contain 3 or more
consecutive letters in the user's UserID or display name.

When we moved to our current password policy our Help Desk was deluged with
calls by users that couldn't come up with suitable passwords. Eventually the
word spread that passwords like MascotMMYY (where MM is the numeric value of
the month and YY is the last two digits in the year) meet the password
policy. On the first of the month they only needed to change two characters
in the current password (the numeric value of the month) to get another
password that meets policy. Yes, we absolutely have users with passwords
like this. These passwords are extremely weak, but they meet policy.
Something that checks for password strength (like you see on some e-commerce
sites when you create an account and a meter shows the strength of the
password you're trying to use) needs to be added into Windows/AD security so
a password like Lions1109 would be automatically rejected for a lack of
complexity.

Chris





---------- Forwarded message ----------
From: Francois Lachance <digitallachance at gmail.com>
To: pauldotcom at mail.pauldotcom.com
Date: Fri, 27 Nov 2009 13:46:43 -0600
Subject: [Pauldotcom] Tools for password analysis
I am currently doing a password audit for my employer. I am somewhat
shocked at the success rate Opthcrack liveCD returns with the free
small rainbow table in an AD network that has the complex password GPO
setting turned on - 96% after 5:50hrs

Now that I have all those juicy passwords, I would like to do some
kind of analysis to make recommendations to management. My first
recommendation will probably be to increase the minimum password
length.

I have two questions for the list:
1.  What tools can I use to do that analysis?
2. Is there a way to force better complex password rules than what
Microsoft provides in Windows 2003?

Thanks!

--
Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091128/d475afd3/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: