Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

can i use a password cracker against active directory

Posted on 2008-10-08
7
Medium Priority
?
261 Views
Last Modified: 2012-05-05
I am doing some consulting work for a company that has not been very strict on enforcing password complexity.  I have been asked to check the complexity of passwords in the domain but I do not have any tools for that.  What do you recommend? And does the tool provide instructions for the best use?
0
Comment
Question by:gbuch11
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22670144
the best thing you can do is enforce password complexity and then enforce a required password change in 3 days.
Also - I prefer length to complexity - a password such as "MydogisFido." is easy to remember and hard to crack and easy to type in.
0
 

Author Comment

by:gbuch11
ID: 22670222
I will do that but management wants to know what the complexity is that users are currently using?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22679671
This is a manual activity rather than a tool-based one. I would be very suprised if ANY organisation asked you to run a password-checker through their internal system.

A similar exercise was carried out within our own organisation by Cap gemini and their approach was to issue a poll. This was carried out by both email and web survey and asked a number of leading questions such as:

Are you using upper and lower case letters in your passwords?
How many numbers are used in your passwords?
Are you using more than one password for the systems that require you to logon?
How frequently to use a password that you have used previously?
and so on.

You can then collate those answers and give a break down of the complexities.
You can also decide whether you want to make the results anonymous or you migght be able to tie down peer groups etc. All can be done though without the 'possible' issues that could arise from either asking for passwords or being seen by the users of 'big brother type' crap.

Keith
0
 
LVL 20

Accepted Solution

by:
wolfcamel earned 1000 total points
ID: 22679792
problem with the poll - most people I know - know that they SHOULD be using complex passwords and would answer accordingly.
users will tend to use the least complex they can get away with. They also tend to make minor changes every month that also become easy to guess..eg  Simon1, simon2, simon3 for the month, so they know what they are up to.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 1000 total points
ID: 22680950
This is true but is the nature of the beast. The HR ramifications, privacy laws - even for a business, don't blame me, someone has my password brigade etc etc - the ramifications of the cracker approach was a minefield. I work in Government so maybe ours was a little OTT but this was the feedback we had been given by all the departments that were 'in the know' on these things.

If the tool approach is REALLY the method that your company is advocating then an advance notification that you are undertaking this activity and will be repeating the audit periodically could be a reasonable driver.

Also bear in mind your company's IT Policy. Sounds stupid but if, for example, you allow your staff to save ANY personal information on the IT systems - and that data is protected (in their minds at least) by the username/password credentials - you could be challenged to provide proof positive that no-one has used the passwords you have gleaned surreptitiously.

We have some real 'mischief makers' - do you?

Lastly, remember that none of the tools available are supported by Microsoft. Use of such tools - and this is just something in the back of my head that I seem to remember from when I worked for them - breaks your license agreement.

However, to answer your question if you really want to do it the way you described then yes - most come with instructions.

Keith
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question