Obtaining User passwords

jimmy1264
jimmy1264 used Ask the Experts™
on
Is there a tool or a piece of software out there that I can have in my AD domain that will log username and passwords?

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi jimmy1264,

This is verging on a hacking question - infact, I think it is.

So, the answer is, no, there is no way to log users passwords from active directory.

When I need a users password, I ask for it, or manually reset it.  If you are not in a position to do the same, then you are not in a position to ask how to bypass your environment

-red
Simon EarlSenior Consultant

Commented:
Agree with RedSea.....

There are plenty of tools available on the internet to sniff out passwords, but I don't want to provide any links to them.

Many good AV tools will also detect and remove these programs automatically.

Why do you need to log username and passwords ?

Cheers
Si

Author

Commented:
We recently let a member of the IT department go. Since before that we kept track of all user passwords on a document, we no longer have them. We need to keep track of them so we can work on their systems when they are away from their desks or on weekends. Trying to avoid door knocking everyone to update the list again.

thanks for the input,

Jim
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Commented:
First question - why not just use your domain admin privileges to access their computers?
If you really need this, you might try to check out pwdump2 - which will work on the AD only if you are already a domain admin...
I never understood why people would want to record user passwords.

First, it should be regularly changed (making tracking a pain).  Second, it can always be reset if you need to log on as the user (or if they forget it).  Third it is a really poor security practice to have passwords written down, the more passwords in the one place, the worse that is.

-red
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
You do not need the password records, as pointed out above, what's the point? you can reset a password to a known value anytime you wish, you can also run an audit on passwords, JohnTheRipper and PwDump are a good combination, as is RainbowCrack or OphCrack. There are no tools to "instantly" show you the pass's except a keylogger, and if you need the pass in a few minutes or an hour, use a rainbow table, that is if the pass is under 14 chars. If it's longer, then brute-force will be the next step. Writing down the pass's in one location is an added and unnecessary security risk.
-rich

Commented:
This kind of issues always make me wonder why Windows will not allow you to su into any user from Administrator...
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
Runas is more like SU than Sudo, and it's a good start for M$, but it's pretty late in the game, even when win2k first introduced it. Others have written windows shells that use runas and it's API to be "more unix" like in your daily tasks, this is a great site to look at for tools that help you to implement the Principal of least privilege:
http://nonadmin.editme.com/ and a link from that site is "sudo for windows" http://sourceforge.net/project/showfiles.php?group_id=143653&package_id=157780&release_id=427299
-rich

Commented:
richrumble - runas will not allow you to execute programs as a certain user without his/her password even if you are system / administrator.
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
True, I wasn't thinking :) Indeed, runas is more like su than it is sudo.
-rich

Author

Commented:
Look at you guys go back and forth...

 - Yes I can use my Domain Admin privileges to log into the computer
 - Yes I can reset the password if I have to work on the computer - Then I would still have to obtain the information verbally from the user to reset the password back because Attorneys don't like change.

When diagnosing a desktop issue , profile corruption, Word, DM5 anomalies, Outlook email folder problems  - YOU HAVE to log in as the user otherwise what's the point.
Rich RumbleSecurity Samurai
Top Expert 2006
Commented:
If the users are logged in, why not try an application like VNC, they remain logged in, and you take over the mouse/keyboard ? Then you don't need to know their pass, and they don't need to tell you, it's still a secret. There are many flavors of VNC, some encrypted some not, still the principal is the same, you take over their session without logging them off or the need to login as them. If they are not logged in, verbally get the password from them, or indicate to them that you will reset the pass, and afterward they will have to change it when they login, and you place a check-box next to the "change password upon next login" depending on your password policies, they might even be able to use the old pass.
-rich
Forced accept.

Computer101
EE Admin

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial