|
Posted by =?Utf-8?B?QW50ZWF1cw==?= on February 19, 2008, 10:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
Bottom line is, even at Fort Knox they have to trust someone with the key.
Though, I'm amazed how ready management are to give-out Admin passwords to
visiting IT guys from software companies. It presumably doesn't occur to them
than any Admin can create a second Admin account, so changing the password
after he/she has left won't necessarily revoke their priveleges.
"Al Dunbar" wrote:
> But where you say "the admin account", do people in your organization
> actually log on to the built-in "Administrator" account? Now *there* is a
> vulnerability you should stamp out right away.
|
|
Posted by =?Utf-8?B?TWljayBNdXJwaHk=?= on February 20, 2008, 1:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
http://ophcrack.sourceforge.net/
http://home.eunet.no/~pnordahl/ntpasswd/
These 2 are good.
--
Mick Murphy - Qld - Australia
"G" wrote:
> I know that the standard disclaimers apply: running certain security
> auditing tools without permission may be criminally prosecutable, and at
> least grounds for termination. With that happy thought in mind, what tools
> would you recommend for finding who has a weak password? I've explained that
> Winter07 is not a good password, but since Windows will accept it, I think
> that some kind of auditing is my next prudent step.
>
> Recommended products for preventing this in the first place are welcome as
> well. But presenting a user with their password as evidence that they chose
> a weak password seems to be hard to argue with.
>
> My assumption is that such a tool would run under the admin account, and
> that the tool itself should secured to said account.
> ________
> Greg Stigers, MCSA
> remember to vote for the answers you like
>
>
>
|
|
Posted by G on March 18, 2008, 10:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
hashes and NTLM hashes within a limited set of characteristics. Neither
describe our environment. The second requires booting from the CD, and
editing a local password, which is not the same as cracking their domain
password.
What other tools would you recommend for finding who has a weak password?
Since Windows will accept "Password01" as meeting complexity requirements,
and then let the user choose "Password02" when that expires, I think that
some kind of auditing is my next prudent step. Recommended products for
preventing this in the first place are welcome as well. Presenting a user
with their cracked password as evidence seems to be hard to argue with.
________
Greg Stigers, MCSA
remember to vote for the answers you like
|
|
Posted by Al Dunbar on March 28, 2008, 12:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> The first tool, ophcrack, requires booting from a CD, and is limited to LM
> hashes and NTLM hashes within a limited set of characteristics. Neither
> describe our environment. The second requires booting from the CD, and
> editing a local password, which is not the same as cracking their domain
> password.
>
> What other tools would you recommend for finding who has a weak password?
> Since Windows will accept "Password01" as meeting complexity requirements,
> and then let the user choose "Password02" when that expires, I think that
> some kind of auditing is my next prudent step. Recommended products for
> preventing this in the first place are welcome as well. Presenting a user
> with their cracked password as evidence seems to be hard to argue with.
If you are going to be running password cracking tools on your system, will
you also be monitoring the system for the use of password cracking tools by
others?
In my organization we understand that we are not supposed to know user
passwords. If someone tells me theirs, I reset it and require them to logon
to change it. The use of password cracking software is considered a
violation of security, regardless who uses it or for what purpose.
As you suggest, even when "strong passwords" are enforced, sequences such as
"Password01" - "Password02", will be allowed and will occur. Strengthening
the enforcement rules will NOT fix this, as this would lead to a smaller
number of allowable passwords, and also make it more likely for people to
write them down. For example, if the password pattern must include multiple
instances of each type of character (uppercase, lowercase, numeric,
punctuation), and if no repeats are allowed, well, you can do the math on
that one...
Let's face it, the system is at the mercy of the users in this, so the best
approach, I think, is to enlist their support. My preference would be to
require a long password, but leave the composition up to the users, and give
them a number of options to help them come up with a password that is strong
but can be remembered. One possibility is the pass-phrase method, but there
may be others. It should also be explained to them what makes passwords
strong.
After you have rubbed a few users' noses in the doggy-doo of their weak
passwords, I suspect that they would indeed fall in line, but that they
would be more likely to write down their passwords. Whatever happens, they
will not see themselves and you as being part of the same team.
/Al
|
| Similar Threads | Posted | | Blackice Detecting TCP and UDP probes from printserver | August 31, 2006, 11:03 am |
| Detecting Admin Privileges Via Code | July 22, 2008, 2:36 pm |
| Detecting MSOffice documents from the command line. | July 5, 2007, 5:00 pm |
| Find very quick method in detecting once the usb key is plugged | July 21, 2007, 1:00 pm |
| Detecting unwanted home wireless network connections from your neighbors | June 9, 2007, 6:32 pm |
| Re: passwords | June 27, 2005, 1:08 am |
| passwords | June 27, 2005, 12:23 am |
| Passwords | September 16, 2005, 2:07 pm |
| passwords | October 19, 2007, 11:42 am |
| Passwords - why hash? | July 6, 2005, 2:36 pm |
|
XML site map