Link to check password strength

Can anyone suggest some links to check password strength?? I've tried a couple & they were fine. But I would like to get some suggestions from some really great security gurus.

Thanks!!
LVL 1
BlinkrAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
A weak password would be one found in a dictionary, or an easy permutation of such a word...
w3akPas$ (weak pass)
lovetim1995 (love tim 1995)
Those are pass's that would easily be found...  Microsoft MBSA scanner can tell you if any of your pass's are easily found in a dictionary as well. There is also the password complexity requirements and a passfilter http://msdn.microsoft.com/library/en-us/secmgmt/security/strong_password_enforcement_and_passfilt_dll.asp?frame=true
http://support.microsoft.com/kb/225230
http://msdn.microsoft.com/library/en-us/gp/504.asp?frame=true

Otherwise your looking at a password audit, dump all pass's via pwdump3e or similar program, then run johntheripper against them... 80% of pass's fall in minutes, using a rainbow table you can get all pass's in an hour or less... It's all still relitive to exposure, the hash used to encrypt and the resources available to crack...
These may provide an interesting reads
http://www.schneier.com/blog/archives/2006/03/the_psychology.html
http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html  http://www.schneier.com/blog/archives/2005/06/write_down_your.html
http://www.schneier.com/blog/archives/2006/05/common_password.html

It boils down to an audit to illustrate the current state of choosen passes. From there you can go on to recomending that they turn on a password complexity requirement, and perhaps turning off LM and using NTLM and NTLMv2... http://support.microsoft.com/?kbid=299656 http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt
http://support.microsoft.com/?scid=239869 http://www.microsoft.com/technet/archive/community/columns/security/askus/auas0201.mspx
I'd suggest picking up the "hacking exposed" series of book, they may help you even more... http://www.hackingexposed.com/
-rich
0
 
redseatechnologiesConnect With a Mentor Commented:
Hi Blinkr,

http://www.securitystats.com/tools/password.php
http://www.microsoft.com/athome/security/privacy/password.mspx
https://cuweblogin2.cit.cornell.edu/cuwl-cgi/passCheck1.cgi

Personally, I would NEVER put my password online - not even to check.

It isnt called paranoia when everyone REALLY IS OUT TO GET YOU!

Then it is just called common sense!

Follow the guidelines - long as possible, random as possible, include all 4 complexity requirements (AAAaaa111!!!) and change it often.

Hope that helps,

-red
0
 
siddhant3sCommented:
Try Gmail Signup.
If U need Invitation then tell me..


Google's  Gmail is Safe Secure and Perfect......


Siddhant Sanyam
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Rich RumbleSecurity SamuraiCommented:
Like your windows login or something like a hotmail/msn login?
Password strength is relitive to the hash and security used to secure that password. Windows login passwords are weak for the following reasons
Case Insensitivity, passwords cut into 2 seven character halves, the same hash is used on each half. The password qwerty12345678 is actually two seperate passes, qwerty1 and 2345678
There are rainbow tables for the LM hash, basically all possible passwords already written down, all one has to do is search for the pass. There are other hashes that can be rainbow tabled as well.

Passwords should, as indicated above, be as long as possible, and use pass-phrasing and I recommned mispellings and wrong context pass's as well like: "Iamknow1'sfewl" (I am no ones fool)
789tinelevendy (seven eight nine ten elevendy) Things of that nature, cases should be varired. Substitution is good too, 3=E and i=1 or i=! L=| or L=1 and naturally o=0

If you want to test the pass against a bruteforcer, give "john the ripper" a try. Here is a good article by the author of jtr http://www.securityfocus.com/columnists/388
These are all good reads too: http://www.google.com/search?sourceid=navclient-ff&ie=UTF-8&rls=GGGL,GGGL:2005-09,GGGL:en&q=site%3Aschneier.com+password+strength
-rich
0
 
redseatechnologiesCommented:
Good points richrumble,

Windows passwords have a maximum length of 127 characters - and there is a very good reason for that.

The password/passphrase "This is my password, it is long and complicated.  Let's see someone guess this" is good in that it has 3 of 4 complexity requirements (no numbers) but it is still only 68 characters long (i think, i counted quickly)

To REALLY harden that, you could add the key points made by richrumble - typos and substitution - i also like throw in some German words (because I am learning it at the moment)

The problem then becomes, how are you going to remember all of that?  You probably wont :)

My day to day password is 9 characters long, but fulfills all 4 complexity requirements, is spelt wrong and includes substitution.

But, my admin account passwords are 25 digits long (it is an old windows95 registration code, which I have memorised for some reason) to make that harder, I hold down shift for every other 3 characters.

So s8d0sdks097j would become s8d)SDks0(&J without making it any harder for me to remember.  The same should be possible for a simple phrase.  "this is a hard password" = "thiS Is a HARd pASSworD"  Throw in some substitution numbers and you are done.

Way back in the old days, I coupled my 25 digit 95 code, with another 25 digit 2000 code, and a 20 digit F-Secure code.  Plus my shift trick, and it was mighty hard, and yet still rememberable (if that is a word!)

-red
0
 
Rich RumbleSecurity SamuraiCommented:
LM passes (the default hash since nt3.1) and NTLM are what is sent by default when you login, connect to a windows share etc... LM is case insensitive, and NTLM is case sensitive. LM is also the one that uses 2 seven character halves, 14 char limit, and NTLM is all one hash maximum 127 chars. If you have an LM password over 14 chars, the hash is turned to null, and NTLM is relied upon. 0182BD0BD4444BF8 is a null hash
http://www.experts-exchange.com/Security/Win_Security/Q_21282957.html

Still I think we'd need some clarification onwhat pass your trying to test the strength of... a password of 1234567812345678 is "stronger" when encrypted using AES or MD5 as opposed to NTLM because it takes longer for MD5 or AES to "crack" than it would for NTLM... That pass is really insecure overall, but it is stronger under one hash than another... again passphrases are likely to be stronger than passwords... although fundimentally they aren't that different than one another.
-rich
0
 
BlinkrAuthor Commented:
Gee, you guys are amazing!! This is absolutely the most intense info I've gotten on this site. All of it is great!!

But what I was looking for was some links I could use to test the strength of some of my clients passwords. So I could demonstrate just how weak they are & convince them to crank them up a notch or 2. I've found a couple. One was a MS site, which I don't know if it's any good or not. I've never thought that MS had anyone that could do security.

I DO have to thank you for the above, as it is really useful & appreciated!!
0
 
BlinkrAuthor Commented:
Thanks, Rich! You mentioned JtR before & I had downloaded it. The installation instructions don't seem to coincide with what files are included. There are files missing that are mentioned in the installation instructions, so I've been sort of lost on how to install & use it. Is there a "novice" JtR site where I can get a better idea of what is suppose to done to get JtR up & running??

Thanks again for your help!!
0
 
Rich RumbleSecurity SamuraiCommented:
There are guides out there that can help you, basically you dump the pass's, and open john from the cmd line and run it against those pass's...
http://xinn.org/john-the-ripper.html
There is no real install per se, merley unziping and cd'ing to that folder inside john and running the exe. John runs much faster on linux than win32, still faster than LC5 nonetheless. Cain&Able is a good tool to have also.
-rich
0
 
uberpoopCommented:
If you want simple password cracking, get Cain and Abel from oxid.it...
in my opinion it is much simpler than JtR.
Cain and Abel also has quite a few other fun tools built in...

I love the sniffing feature... jsut be careful with the Arp Poisoning feature... It really hoses my switches.
0
 
lovewithnofaceCommented:
one of my passwords that i like to use is 17 chars, and if you're talking about a password for online access to something, a lot of sites oddly enough wont let you have that many chars.

one of the things i did (i have a crazy password for admins, and online access etc) but once you get pass that, you also need passwords for everything, messengers accounts, email, EE, everything and a lot wont let you have long passwords, but you still want them to be as secure as possible.

couple general recommendations i have, some people, once they come up with a secure password for online things, use it for everything.  you don't want that.  especially since online passwords are easier to break.  but, some things i would group under the same password (though it depends)

its very difficult to remember a large number of SECURE passwords.  i have journal accounts that i rarely use, so those all have the same password, but i also set my settings to email me if something changes, including if i change my settings.  i haven't used the accounts in two years, but they're set to active email addresses, and i dont have to worry.

also, if you're trying to figure out how to remember your password, try and choose something repetitive sounding, not repetitive.  i was once given a temporary password (you know how sites email you teporary passwords to make sure the email is yours) and it was very secure, uppercase and lowercase letters, as many chars as the site let you have, numbers, and ascii chars as well some random #* thrown in.  but if you read it outloud, it was repetitive and easy to remember, almost like a nursury ryhme, it followed a sing songy pattern.  since then, i've tried to make my passwords do that.  doesn't make them any less secure (especially if you test them) but it sure makes them easier to remember
0
 
redseatechnologiesCommented:
The way I remember my main strong password is that I used it so many times - at one stage I had it written on the wall.

And that is the key right there - write your password down.  There is a far greater chance of your password being cracked, than by someone stealing or social engineering it off you - good personal sercurity will protect an otherwise meaningless string of characters.

When I want to remember a new strong password, I write it down and carry it with me.  But, I do not write down the username, or what site/client/whatever it is for - and, I obscure the password a bit by adding 4 random characters to the start and to the end - there is little or no chance of someone a) getting it off me in the first place and b) knowing what to do with it.

After about 10 uses, I know it off by heart and that is it!

-red
0
 
lovewithnofaceCommented:
there are also password keepers, which are relatively secure.  if you have a REALLY secure password for your computer and your password keeper that is, and don't keep anything of vital importance like bank records in there.

of course my dad got this great one, which you got to try for a long time.  i didn't take it from him, because, well, my dad (youll see why) but my sister did, and then, well, they liked it, and decided to buy it but forgot to and then one day my sister comes into the living room and says "can we buy that program? all of my passwords are in there and I can't get them out now!"

yah.  so while there's a fair bit of technology and knowing how passwords work involved in being secure, and having secure passwords, theres a fair amount of just plain old common sense, which shockingly enough, most people need to be taught, so you can buy dozens of books on it.

once you know the tech stuff though, just keep your head on your shoulders.  which sounds relatively simple, but youd be suprised

as my dad said, "we havn't paid for that?"

Cheers,
lovewithnoface
0
 
BlinkrAuthor Commented:

>if you have a REALLY secure password for your computer and your password keeper

I use Roboform to keep passwords for all of my computers. It is really good & suppose to be secure. Here is a link to its features:
http://www.roboform.com/features.html

What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong. I have clients that I would like to go to a link, enter their password & show them how weak it is. If they see this on a site that looks like a professional security site, maybe they will do a better job of choosing passwords. Most don't even know how to create a strong password. They think that if they have one that has at least 4 letters & a number that it is very secure.

Thanks!!
0
 
Rich RumbleSecurity SamuraiCommented:
Again, it's all realitive... if their password is 14 chars or less, and used for Windows login, consider it weak, due to rainbow table programs like OphCrack and Rainbow Crack, let alone the numerous other tools that can use those tables. JohnTheRipper and LC5, Cain&Abel and hundreds more can brute force pass's in a week or less on modern hardware.  http://www.rainbowcrack.com/ https://www.isc2.org/cgi-bin/content.cgi?page=738
There are rainbow tables for a dozen other hash's now as well... but they take much much longer to complete. If the password is the password to "open" a document in M$ office, that is the strongest password in any M$ office product, but if someone has a dozen computers at their disposal, the password, regardless of length can be found in a matter of hours, as the work can be distributed via Elcomsoft's program.

You can make a simple script that checks for, varied cases, symbols, and numbers and factors in how long the pass is... again, you could have the most secure pass there is, but if it's stored in a weak hash or substirution cipher, the password complexity means nothing.
buyA!!Cc0Un+$TH15passis53cur3 (by all accounts, this pass is secure)
ohlN!!nPp0Ha+$GU15cnffvf53phe3 (rot-13 version of the pass,  A=n B=o C=p) http://www.retards.org/projects/rot13/

-rich
0
 
redseatechnologiesCommented:
>> What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong.

I already posted links on that in my first post, as I am sure others have

-red
0
 
BlinkrAuthor Commented:
Thanks for all of the help!! I really learned alot!!

Rich, posted alot of info & good reading for security issues & passwords. Thanks!!

Red, thanks for the links to the online checkers. These will work great for my clients!! I can now with this info, get my clients to create better passwords. Thanks!!

0
 
redseatechnologiesCommented:
The only way I got my clients to do that was by enforcing it with password policies.

Some people get terribly fond of 3 digit passwords - or worse yet "password"

Good luck!

-red
0
 
lovewithnofaceCommented:
i had password as a password for one stupid site that insisted i sign in, and i couldnt figure out why i needed a username and password to begin with, as i don't even think they made me fill in my email address, or that i did anything on the site (no posting comments) i think it was a power trip, and it annoyed me

man, what website was that?

i hope they can spell password properly...
0
 
BlinkrAuthor Commented:
There are only a few of my clients that I would like to use these sites for. And they have been very good at following my suggestions. I feel like some others that work with them need me to "prove officially" that their passwords are weak. But thanks for the input!!
0
 
Rich RumbleSecurity SamuraiCommented:
That's what an "Audit" is for ;) Having them give you written permission to dump thier passwords, and see how long it takes to crack, those are the true test's, or at least a better indicator. You can use Cain&Able's password calculator to output a plain-text pass in a variety of hash's, and see how long they'd take to crack using bruteforce, forgetting that you know the value before hand.
-rich
0
 
BlinkrAuthor Commented:
Thanks again Rich! I downloaded & installed C&A & am trying to figure it out. I am reading thru the link you posted for John-the-Ripper as well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.