Solved

Link to check password strength

Posted on 2006-06-12
23
947 Views
Last Modified: 2011-10-03
Can anyone suggest some links to check password strength?? I've tried a couple & they were fine. But I would like to get some suggestions from some really great security gurus.

Thanks!!
0
Comment
Question by:Blinkr
  • 6
  • 6
  • 5
  • +3
23 Comments
 
LVL 39

Assisted Solution

by:redseatechnologies
redseatechnologies earned 100 total points
ID: 16891567
Hi Blinkr,

http://www.securitystats.com/tools/password.php
http://www.microsoft.com/athome/security/privacy/password.mspx
https://cuweblogin2.cit.cornell.edu/cuwl-cgi/passCheck1.cgi

Personally, I would NEVER put my password online - not even to check.

It isnt called paranoia when everyone REALLY IS OUT TO GET YOU!

Then it is just called common sense!

Follow the guidelines - long as possible, random as possible, include all 4 complexity requirements (AAAaaa111!!!) and change it often.

Hope that helps,

-red
0
 
LVL 1

Expert Comment

by:siddhant3s
ID: 16891883
Try Gmail Signup.
If U need Invitation then tell me..


Google's  Gmail is Safe Secure and Perfect......


Siddhant Sanyam
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16892953
Like your windows login or something like a hotmail/msn login?
Password strength is relitive to the hash and security used to secure that password. Windows login passwords are weak for the following reasons
Case Insensitivity, passwords cut into 2 seven character halves, the same hash is used on each half. The password qwerty12345678 is actually two seperate passes, qwerty1 and 2345678
There are rainbow tables for the LM hash, basically all possible passwords already written down, all one has to do is search for the pass. There are other hashes that can be rainbow tabled as well.

Passwords should, as indicated above, be as long as possible, and use pass-phrasing and I recommned mispellings and wrong context pass's as well like: "Iamknow1'sfewl" (I am no ones fool)
789tinelevendy (seven eight nine ten elevendy) Things of that nature, cases should be varired. Substitution is good too, 3=E and i=1 or i=! L=| or L=1 and naturally o=0

If you want to test the pass against a bruteforcer, give "john the ripper" a try. Here is a good article by the author of jtr http://www.securityfocus.com/columnists/388
These are all good reads too: http://www.google.com/search?sourceid=navclient-ff&ie=UTF-8&rls=GGGL,GGGL:2005-09,GGGL:en&q=site%3Aschneier.com+password+strength
-rich
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16893141
Good points richrumble,

Windows passwords have a maximum length of 127 characters - and there is a very good reason for that.

The password/passphrase "This is my password, it is long and complicated.  Let's see someone guess this" is good in that it has 3 of 4 complexity requirements (no numbers) but it is still only 68 characters long (i think, i counted quickly)

To REALLY harden that, you could add the key points made by richrumble - typos and substitution - i also like throw in some German words (because I am learning it at the moment)

The problem then becomes, how are you going to remember all of that?  You probably wont :)

My day to day password is 9 characters long, but fulfills all 4 complexity requirements, is spelt wrong and includes substitution.

But, my admin account passwords are 25 digits long (it is an old windows95 registration code, which I have memorised for some reason) to make that harder, I hold down shift for every other 3 characters.

So s8d0sdks097j would become s8d)SDks0(&J without making it any harder for me to remember.  The same should be possible for a simple phrase.  "this is a hard password" = "thiS Is a HARd pASSworD"  Throw in some substitution numbers and you are done.

Way back in the old days, I coupled my 25 digit 95 code, with another 25 digit 2000 code, and a 20 digit F-Secure code.  Plus my shift trick, and it was mighty hard, and yet still rememberable (if that is a word!)

-red
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16893517
LM passes (the default hash since nt3.1) and NTLM are what is sent by default when you login, connect to a windows share etc... LM is case insensitive, and NTLM is case sensitive. LM is also the one that uses 2 seven character halves, 14 char limit, and NTLM is all one hash maximum 127 chars. If you have an LM password over 14 chars, the hash is turned to null, and NTLM is relied upon. 0182BD0BD4444BF8 is a null hash
http://www.experts-exchange.com/Security/Win_Security/Q_21282957.html

Still I think we'd need some clarification onwhat pass your trying to test the strength of... a password of 1234567812345678 is "stronger" when encrypted using AES or MD5 as opposed to NTLM because it takes longer for MD5 or AES to "crack" than it would for NTLM... That pass is really insecure overall, but it is stronger under one hash than another... again passphrases are likely to be stronger than passwords... although fundimentally they aren't that different than one another.
-rich
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16893693
Gee, you guys are amazing!! This is absolutely the most intense info I've gotten on this site. All of it is great!!

But what I was looking for was some links I could use to test the strength of some of my clients passwords. So I could demonstrate just how weak they are & convince them to crank them up a notch or 2. I've found a couple. One was a MS site, which I don't know if it's any good or not. I've never thought that MS had anyone that could do security.

I DO have to thank you for the above, as it is really useful & appreciated!!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 16893978
A weak password would be one found in a dictionary, or an easy permutation of such a word...
w3akPas$ (weak pass)
lovetim1995 (love tim 1995)
Those are pass's that would easily be found...  Microsoft MBSA scanner can tell you if any of your pass's are easily found in a dictionary as well. There is also the password complexity requirements and a passfilter http://msdn.microsoft.com/library/en-us/secmgmt/security/strong_password_enforcement_and_passfilt_dll.asp?frame=true
http://support.microsoft.com/kb/225230
http://msdn.microsoft.com/library/en-us/gp/504.asp?frame=true

Otherwise your looking at a password audit, dump all pass's via pwdump3e or similar program, then run johntheripper against them... 80% of pass's fall in minutes, using a rainbow table you can get all pass's in an hour or less... It's all still relitive to exposure, the hash used to encrypt and the resources available to crack...
These may provide an interesting reads
http://www.schneier.com/blog/archives/2006/03/the_psychology.html
http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100-7355_3-5716590.html  http://www.schneier.com/blog/archives/2005/06/write_down_your.html
http://www.schneier.com/blog/archives/2006/05/common_password.html

It boils down to an audit to illustrate the current state of choosen passes. From there you can go on to recomending that they turn on a password complexity requirement, and perhaps turning off LM and using NTLM and NTLMv2... http://support.microsoft.com/?kbid=299656 http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt
http://support.microsoft.com/?scid=239869 http://www.microsoft.com/technet/archive/community/columns/security/askus/auas0201.mspx
I'd suggest picking up the "hacking exposed" series of book, they may help you even more... http://www.hackingexposed.com/
-rich
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16894375
Thanks, Rich! You mentioned JtR before & I had downloaded it. The installation instructions don't seem to coincide with what files are included. There are files missing that are mentioned in the installation instructions, so I've been sort of lost on how to install & use it. Is there a "novice" JtR site where I can get a better idea of what is suppose to done to get JtR up & running??

Thanks again for your help!!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16894618
There are guides out there that can help you, basically you dump the pass's, and open john from the cmd line and run it against those pass's...
http://xinn.org/john-the-ripper.html
There is no real install per se, merley unziping and cd'ing to that folder inside john and running the exe. John runs much faster on linux than win32, still faster than LC5 nonetheless. Cain&Able is a good tool to have also.
-rich
0
 
LVL 4

Expert Comment

by:uberpoop
ID: 16924549
If you want simple password cracking, get Cain and Abel from oxid.it...
in my opinion it is much simpler than JtR.
Cain and Abel also has quite a few other fun tools built in...

I love the sniffing feature... jsut be careful with the Arp Poisoning feature... It really hoses my switches.
0
 
LVL 3

Expert Comment

by:lovewithnoface
ID: 16974691
one of my passwords that i like to use is 17 chars, and if you're talking about a password for online access to something, a lot of sites oddly enough wont let you have that many chars.

one of the things i did (i have a crazy password for admins, and online access etc) but once you get pass that, you also need passwords for everything, messengers accounts, email, EE, everything and a lot wont let you have long passwords, but you still want them to be as secure as possible.

couple general recommendations i have, some people, once they come up with a secure password for online things, use it for everything.  you don't want that.  especially since online passwords are easier to break.  but, some things i would group under the same password (though it depends)

its very difficult to remember a large number of SECURE passwords.  i have journal accounts that i rarely use, so those all have the same password, but i also set my settings to email me if something changes, including if i change my settings.  i haven't used the accounts in two years, but they're set to active email addresses, and i dont have to worry.

also, if you're trying to figure out how to remember your password, try and choose something repetitive sounding, not repetitive.  i was once given a temporary password (you know how sites email you teporary passwords to make sure the email is yours) and it was very secure, uppercase and lowercase letters, as many chars as the site let you have, numbers, and ascii chars as well some random #* thrown in.  but if you read it outloud, it was repetitive and easy to remember, almost like a nursury ryhme, it followed a sing songy pattern.  since then, i've tried to make my passwords do that.  doesn't make them any less secure (especially if you test them) but it sure makes them easier to remember
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16974850
The way I remember my main strong password is that I used it so many times - at one stage I had it written on the wall.

And that is the key right there - write your password down.  There is a far greater chance of your password being cracked, than by someone stealing or social engineering it off you - good personal sercurity will protect an otherwise meaningless string of characters.

When I want to remember a new strong password, I write it down and carry it with me.  But, I do not write down the username, or what site/client/whatever it is for - and, I obscure the password a bit by adding 4 random characters to the start and to the end - there is little or no chance of someone a) getting it off me in the first place and b) knowing what to do with it.

After about 10 uses, I know it off by heart and that is it!

-red
0
 
LVL 3

Expert Comment

by:lovewithnoface
ID: 16974921
there are also password keepers, which are relatively secure.  if you have a REALLY secure password for your computer and your password keeper that is, and don't keep anything of vital importance like bank records in there.

of course my dad got this great one, which you got to try for a long time.  i didn't take it from him, because, well, my dad (youll see why) but my sister did, and then, well, they liked it, and decided to buy it but forgot to and then one day my sister comes into the living room and says "can we buy that program? all of my passwords are in there and I can't get them out now!"

yah.  so while there's a fair bit of technology and knowing how passwords work involved in being secure, and having secure passwords, theres a fair amount of just plain old common sense, which shockingly enough, most people need to be taught, so you can buy dozens of books on it.

once you know the tech stuff though, just keep your head on your shoulders.  which sounds relatively simple, but youd be suprised

as my dad said, "we havn't paid for that?"

Cheers,
lovewithnoface
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16976080

>if you have a REALLY secure password for your computer and your password keeper

I use Roboform to keep passwords for all of my computers. It is really good & suppose to be secure. Here is a link to its features:
http://www.roboform.com/features.html

What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong. I have clients that I would like to go to a link, enter their password & show them how weak it is. If they see this on a site that looks like a professional security site, maybe they will do a better job of choosing passwords. Most don't even know how to create a strong password. They think that if they have one that has at least 4 letters & a number that it is very secure.

Thanks!!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16976394
Again, it's all realitive... if their password is 14 chars or less, and used for Windows login, consider it weak, due to rainbow table programs like OphCrack and Rainbow Crack, let alone the numerous other tools that can use those tables. JohnTheRipper and LC5, Cain&Abel and hundreds more can brute force pass's in a week or less on modern hardware.  http://www.rainbowcrack.com/ https://www.isc2.org/cgi-bin/content.cgi?page=738
There are rainbow tables for a dozen other hash's now as well... but they take much much longer to complete. If the password is the password to "open" a document in M$ office, that is the strongest password in any M$ office product, but if someone has a dozen computers at their disposal, the password, regardless of length can be found in a matter of hours, as the work can be distributed via Elcomsoft's program.

You can make a simple script that checks for, varied cases, symbols, and numbers and factors in how long the pass is... again, you could have the most secure pass there is, but if it's stored in a weak hash or substirution cipher, the password complexity means nothing.
buyA!!Cc0Un+$TH15passis53cur3 (by all accounts, this pass is secure)
ohlN!!nPp0Ha+$GU15cnffvf53phe3 (rot-13 version of the pass,  A=n B=o C=p) http://www.retards.org/projects/rot13/

-rich
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16976621
>> What I was looking for in this post was sites that will test a password to tell you just how secure it is. You enter the password into a box & it tells you if it is weak or strong.

I already posted links on that in my first post, as I am sure others have

-red
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16976680
Thanks for all of the help!! I really learned alot!!

Rich, posted alot of info & good reading for security issues & passwords. Thanks!!

Red, thanks for the links to the online checkers. These will work great for my clients!! I can now with this info, get my clients to create better passwords. Thanks!!

0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16976685
The only way I got my clients to do that was by enforcing it with password policies.

Some people get terribly fond of 3 digit passwords - or worse yet "password"

Good luck!

-red
0
 
LVL 3

Expert Comment

by:lovewithnoface
ID: 16976770
i had password as a password for one stupid site that insisted i sign in, and i couldnt figure out why i needed a username and password to begin with, as i don't even think they made me fill in my email address, or that i did anything on the site (no posting comments) i think it was a power trip, and it annoyed me

man, what website was that?

i hope they can spell password properly...
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16976965
There are only a few of my clients that I would like to use these sites for. And they have been very good at following my suggestions. I feel like some others that work with them need me to "prove officially" that their passwords are weak. But thanks for the input!!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16977406
That's what an "Audit" is for ;) Having them give you written permission to dump thier passwords, and see how long it takes to crack, those are the true test's, or at least a better indicator. You can use Cain&Able's password calculator to output a plain-text pass in a variety of hash's, and see how long they'd take to crack using bruteforce, forgetting that you know the value before hand.
-rich
0
 
LVL 1

Author Comment

by:Blinkr
ID: 16980644
Thanks again Rich! I downloaded & installed C&A & am trying to figure it out. I am reading thru the link you posted for John-the-Ripper as well.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now