PaulDotCom mailing list archives
Tools for password analysis
From: cmilte at gmail.com (Chris Miltenberger)
Date: Sat, 28 Nov 2009 12:18:47 -0600
2. A custom password filter can be written that works in conjunction with, or as a replacement for, the password complexity GPO as well as some of the other password policy settings. The password filter we use requires a minimum password length of 8 characters consisting of at least one character from 3 of 4 categories (uppercase letter, lowercase letter, number, special character). Due to an enterprise application we run the special characters we can use are limited, so the filter is set up to reject passwords with unusable characters. We also reject passwords that contain 3 or more consecutive letters in the user's UserID or display name. When we moved to our current password policy our Help Desk was deluged with calls by users that couldn't come up with suitable passwords. Eventually the word spread that passwords like MascotMMYY (where MM is the numeric value of the month and YY is the last two digits in the year) meet the password policy. On the first of the month they only needed to change two characters in the current password (the numeric value of the month) to get another password that meets policy. Yes, we absolutely have users with passwords like this. These passwords are extremely weak, but they meet policy. Something that checks for password strength (like you see on some e-commerce sites when you create an account and a meter shows the strength of the password you're trying to use) needs to be added into Windows/AD security so a password like Lions1109 would be automatically rejected for a lack of complexity. Chris ---------- Forwarded message ---------- From: Francois Lachance <digitallachance at gmail.com> To: pauldotcom at mail.pauldotcom.com Date: Fri, 27 Nov 2009 13:46:43 -0600 Subject: [Pauldotcom] Tools for password analysis I am currently doing a password audit for my employer. I am somewhat shocked at the success rate Opthcrack liveCD returns with the free small rainbow table in an AD network that has the complex password GPO setting turned on - 96% after 5:50hrs Now that I have all those juicy passwords, I would like to do some kind of analysis to make recommendations to management. My first recommendation will probably be to increase the minimum password length. I have two questions for the list: 1. What tools can I use to do that analysis? 2. Is there a way to force better complex password rules than what Microsoft provides in Windows 2003? Thanks! -- Sent from my mobile device -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091128/d475afd3/attachment.htm
Current thread:
- Tools for password analysis Chris Miltenberger (Nov 28)