Solved

can i use a password cracker against active directory

Posted on 2008-10-08
7
250 Views
Last Modified: 2012-05-05
I am doing some consulting work for a company that has not been very strict on enforcing password complexity.  I have been asked to check the complexity of passwords in the domain but I do not have any tools for that.  What do you recommend? And does the tool provide instructions for the best use?
0
Comment
Question by:gbuch11
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22670144
the best thing you can do is enforce password complexity and then enforce a required password change in 3 days.
Also - I prefer length to complexity - a password such as "MydogisFido." is easy to remember and hard to crack and easy to type in.
0
 

Author Comment

by:gbuch11
ID: 22670222
I will do that but management wants to know what the complexity is that users are currently using?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22679671
This is a manual activity rather than a tool-based one. I would be very suprised if ANY organisation asked you to run a password-checker through their internal system.

A similar exercise was carried out within our own organisation by Cap gemini and their approach was to issue a poll. This was carried out by both email and web survey and asked a number of leading questions such as:

Are you using upper and lower case letters in your passwords?
How many numbers are used in your passwords?
Are you using more than one password for the systems that require you to logon?
How frequently to use a password that you have used previously?
and so on.

You can then collate those answers and give a break down of the complexities.
You can also decide whether you want to make the results anonymous or you migght be able to tie down peer groups etc. All can be done though without the 'possible' issues that could arise from either asking for passwords or being seen by the users of 'big brother type' crap.

Keith
0
 
LVL 20

Accepted Solution

by:
wolfcamel earned 250 total points
ID: 22679792
problem with the poll - most people I know - know that they SHOULD be using complex passwords and would answer accordingly.
users will tend to use the least complex they can get away with. They also tend to make minor changes every month that also become easy to guess..eg  Simon1, simon2, simon3 for the month, so they know what they are up to.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 22680950
This is true but is the nature of the beast. The HR ramifications, privacy laws - even for a business, don't blame me, someone has my password brigade etc etc - the ramifications of the cracker approach was a minefield. I work in Government so maybe ours was a little OTT but this was the feedback we had been given by all the departments that were 'in the know' on these things.

If the tool approach is REALLY the method that your company is advocating then an advance notification that you are undertaking this activity and will be repeating the audit periodically could be a reasonable driver.

Also bear in mind your company's IT Policy. Sounds stupid but if, for example, you allow your staff to save ANY personal information on the IT systems - and that data is protected (in their minds at least) by the username/password credentials - you could be challenged to provide proof positive that no-one has used the passwords you have gleaned surreptitiously.

We have some real 'mischief makers' - do you?

Lastly, remember that none of the tools available are supported by Microsoft. Use of such tools - and this is just something in the back of my head that I seem to remember from when I worked for them - breaks your license agreement.

However, to answer your question if you really want to do it the way you described then yes - most come with instructions.

Keith
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EMAIL BANNER 8 29
FIM 2010r2 Sync Service creating item with blank info 4 157
How to allow  or block web page widgets using TMG 2010 2 1,137
MS Forefront UAG Support for Windows 10 1 583
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now