|
Posted by G on February 12, 2008, 11:55 am
If you were Registered and logged in, you could reply and use other advanced thread options
I know that the standard disclaimers apply: running certain security
auditing tools without permission may be criminally prosecutable, and at
least grounds for termination. With that happy thought in mind, what tools
would you recommend for finding who has a weak password? I've explained that
Winter07 is not a good password, but since Windows will accept it, I think
that some kind of auditing is my next prudent step.
Recommended products for preventing this in the first place are welcome as
well. But presenting a user with their password as evidence that they chose
a weak password seems to be hard to argue with.
My assumption is that such a tool would run under the admin account, and
that the tool itself should secured to said account.
________
Greg Stigers, MCSA
remember to vote for the answers you like
|
|
Posted by Vladimir Katalov on February 13, 2008, 1:52 am
If you were Registered and logged in, you could reply and use other advanced thread options
>I know that the standard disclaimers apply: running certain security
>auditing tools without permission may be criminally prosecutable, and at
>least grounds for termination. With that happy thought in mind, what tools
>would you recommend for finding who has a weak password? I've explained
>that Winter07 is not a good password, but since Windows will accept it, I
>think that some kind of auditing is my next prudent step.
>
> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they
> chose a weak password seems to be hard to argue with.
>
> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.
Please try Proactive Password Auditor, probably that's what you need:
http://www.elcomsoft.com/ppa.html
--
Sincerely yours,
Vladimir
Vladimir Katalov
CEO
ElcomSoft Co.Ltd.
mailto:vkatalov@elcomsoft.com
http://www.elcomsoft.com
|
|
Posted by =?Utf-8?B?QW50ZWF1cw==?= on February 13, 2008, 10:13 am
If you were Registered and logged in, you could reply and use other advanced thread options
'complex' but in fact related to easily-guessable personal attributes, so
were actually weaker than simple but random paswords. Examples might be a
vehicle reg or marque, date of birth, golf club, date and place of football
match, etc. (Or in America, gun type might come high on the list, I guess!)
The only real answer is to allocate passwords. Unfortunately, if you take
this approach, you soon discover that Windows isn't designed to work like
this, and it's considerably more difficult to manage such an arrangement than
one of user-set passwords.
"Vladimir Katalov" wrote:
>
> Please try Proactive Password Auditor, probably that's what you need:
>
> http://www.elcomsoft.com/ppa.html
|
|
Posted by Al Dunbar on February 15, 2008, 12:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
> We had this issue, in that users were setting passwords which were
> ostensibly
> 'complex' but in fact related to easily-guessable personal attributes, so
> were actually weaker than simple but random paswords. Examples might be a
> vehicle reg or marque, date of birth, golf club, date and place of
> football
> match, etc. (Or in America, gun type might come high on the list, I
> guess!)
>
> The only real answer is to allocate passwords.
Not sure what you mean, but it sounds as if you would be generating complex
passwords and giving them out to the users. The trouble with that is, how
can it be guaranteed that the user is the only person who will ever find out
what the password is? And then you'd either have to let them use the same
password forever, or go through the whole process periodically.
> Unfortunately, if you take
> this approach, you soon discover that Windows isn't designed to work like
> this, and it's considerably more difficult to manage such an arrangement
> than
> one of user-set passwords.
And a good thing, too. Yes, users will generally try to come up with an easy
to remember password, a feature that also tends to make them easily
guessable. Or they will write it down because they cannot remember it. The
only solution I can think of is to educate the users as to the importance of
choosing complex passwords.
/Al
>
> "Vladimir Katalov" wrote:
>
>>
>> Please try Proactive Password Auditor, probably that's what you need:
>>
>> http://www.elcomsoft.com/ppa.html
>
|
|
Posted by Al Dunbar on February 14, 2008, 11:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>I know that the standard disclaimers apply: running certain security
>auditing tools without permission may be criminally prosecutable, and at
>least grounds for termination. With that happy thought in mind, what tools
>would you recommend for finding who has a weak password? I've explained
>that Winter07 is not a good password, but since Windows will accept it, I
>think that some kind of auditing is my next prudent step.
That might not actually be that bad a password; - in 2008!
> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they
> chose a weak password seems to be hard to argue with.
Considering that users do not generally understand how passwords work, and
most of mine have the idea that I simply know everybody's password, or can
look it up with my privileged account, I'd say that might be an argument
that is hard to argue for, not against.
And further, demonstrating that you can do this will not augur well for the
good faith you have hopefully built up with your users, and with your
company. The next time someone gets the idea that the content of one of
their documents has been leaked, guess who will come to mind as the most
likely suspect? The person who can figure out all passwords, thereby being
able to logon to user accounts completely anonymously.
> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.
I would rather see it kept out of the network altogether. I think there are
programs that can analyze password strength, but WITHOUT actually
determining what the passwords are.
But where you say "the admin account", do people in your organization
actually log on to the built-in "Administrator" account? Now *there* is a
vulnerability you should stamp out right away.
/Al
|
| Similar Threads | Posted | | Blackice Detecting TCP and UDP probes from printserver | August 31, 2006, 11:03 am |
| Detecting Admin Privileges Via Code | July 22, 2008, 2:36 pm |
| Detecting MSOffice documents from the command line. | July 5, 2007, 5:00 pm |
| Find very quick method in detecting once the usb key is plugged | July 21, 2007, 1:00 pm |
| Detecting unwanted home wireless network connections from your neighbors | June 9, 2007, 6:32 pm |
| Re: passwords | June 27, 2005, 1:08 am |
| passwords | June 27, 2005, 12:23 am |
| Passwords | September 16, 2005, 2:07 pm |
| passwords | October 19, 2007, 11:42 am |
| Passwords - why hash? | July 6, 2005, 2:36 pm |
|
XML site map