Solved

can i use a password cracker against active directory

Posted on 2008-10-08
7
253 Views
Last Modified: 2012-05-05
I am doing some consulting work for a company that has not been very strict on enforcing password complexity.  I have been asked to check the complexity of passwords in the domain but I do not have any tools for that.  What do you recommend? And does the tool provide instructions for the best use?
0
Comment
Question by:gbuch11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22670144
the best thing you can do is enforce password complexity and then enforce a required password change in 3 days.
Also - I prefer length to complexity - a password such as "MydogisFido." is easy to remember and hard to crack and easy to type in.
0
 

Author Comment

by:gbuch11
ID: 22670222
I will do that but management wants to know what the complexity is that users are currently using?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22679671
This is a manual activity rather than a tool-based one. I would be very suprised if ANY organisation asked you to run a password-checker through their internal system.

A similar exercise was carried out within our own organisation by Cap gemini and their approach was to issue a poll. This was carried out by both email and web survey and asked a number of leading questions such as:

Are you using upper and lower case letters in your passwords?
How many numbers are used in your passwords?
Are you using more than one password for the systems that require you to logon?
How frequently to use a password that you have used previously?
and so on.

You can then collate those answers and give a break down of the complexities.
You can also decide whether you want to make the results anonymous or you migght be able to tie down peer groups etc. All can be done though without the 'possible' issues that could arise from either asking for passwords or being seen by the users of 'big brother type' crap.

Keith
0
 
LVL 20

Accepted Solution

by:
wolfcamel earned 250 total points
ID: 22679792
problem with the poll - most people I know - know that they SHOULD be using complex passwords and would answer accordingly.
users will tend to use the least complex they can get away with. They also tend to make minor changes every month that also become easy to guess..eg  Simon1, simon2, simon3 for the month, so they know what they are up to.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 22680950
This is true but is the nature of the beast. The HR ramifications, privacy laws - even for a business, don't blame me, someone has my password brigade etc etc - the ramifications of the cracker approach was a minefield. I work in Government so maybe ours was a little OTT but this was the feedback we had been given by all the departments that were 'in the know' on these things.

If the tool approach is REALLY the method that your company is advocating then an advance notification that you are undertaking this activity and will be repeating the audit periodically could be a reasonable driver.

Also bear in mind your company's IT Policy. Sounds stupid but if, for example, you allow your staff to save ANY personal information on the IT systems - and that data is protected (in their minds at least) by the username/password credentials - you could be challenged to provide proof positive that no-one has used the passwords you have gleaned surreptitiously.

We have some real 'mischief makers' - do you?

Lastly, remember that none of the tools available are supported by Microsoft. Use of such tools - and this is just something in the back of my head that I seem to remember from when I worked for them - breaks your license agreement.

However, to answer your question if you really want to do it the way you described then yes - most come with instructions.

Keith
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question