can i use a password cracker against active directory

I am doing some consulting work for a company that has not been very strict on enforcing password complexity.  I have been asked to check the complexity of passwords in the domain but I do not have any tools for that.  What do you recommend? And does the tool provide instructions for the best use?
gbuch11Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
wolfcamelConnect With a Mentor Commented:
problem with the poll - most people I know - know that they SHOULD be using complex passwords and would answer accordingly.
users will tend to use the least complex they can get away with. They also tend to make minor changes every month that also become easy to guess..eg  Simon1, simon2, simon3 for the month, so they know what they are up to.
0
 
wolfcamelCommented:
the best thing you can do is enforce password complexity and then enforce a required password change in 3 days.
Also - I prefer length to complexity - a password such as "MydogisFido." is easy to remember and hard to crack and easy to type in.
0
 
gbuch11Author Commented:
I will do that but management wants to know what the complexity is that users are currently using?
0
 
Keith AlabasterEnterprise ArchitectCommented:
This is a manual activity rather than a tool-based one. I would be very suprised if ANY organisation asked you to run a password-checker through their internal system.

A similar exercise was carried out within our own organisation by Cap gemini and their approach was to issue a poll. This was carried out by both email and web survey and asked a number of leading questions such as:

Are you using upper and lower case letters in your passwords?
How many numbers are used in your passwords?
Are you using more than one password for the systems that require you to logon?
How frequently to use a password that you have used previously?
and so on.

You can then collate those answers and give a break down of the complexities.
You can also decide whether you want to make the results anonymous or you migght be able to tie down peer groups etc. All can be done though without the 'possible' issues that could arise from either asking for passwords or being seen by the users of 'big brother type' crap.

Keith
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
This is true but is the nature of the beast. The HR ramifications, privacy laws - even for a business, don't blame me, someone has my password brigade etc etc - the ramifications of the cracker approach was a minefield. I work in Government so maybe ours was a little OTT but this was the feedback we had been given by all the departments that were 'in the know' on these things.

If the tool approach is REALLY the method that your company is advocating then an advance notification that you are undertaking this activity and will be repeating the audit periodically could be a reasonable driver.

Also bear in mind your company's IT Policy. Sounds stupid but if, for example, you allow your staff to save ANY personal information on the IT systems - and that data is protected (in their minds at least) by the username/password credentials - you could be challenged to provide proof positive that no-one has used the passwords you have gleaned surreptitiously.

We have some real 'mischief makers' - do you?

Lastly, remember that none of the tools available are supported by Microsoft. Use of such tools - and this is just something in the back of my head that I seem to remember from when I worked for them - breaks your license agreement.

However, to answer your question if you really want to do it the way you described then yes - most come with instructions.

Keith
0
All Courses

From novice to tech pro — start learning today.