Stop simple passwords
I run an AD domain (Server 2003 native) with a few hundred users. I've moved all the accounts I can away from passwords over to 2 factor authentication but some people, such as devopers, need to do things that still require good old fashion passwords. For these guys I have fairly stiff password requirements (14 char, complex, remember last 10, change every 30 days etc.). However I'm still worried some some people are using passwords too easy, like keyboard walks or a short word 4 times etc. I know there are ways of using custom Ella to force stronger password requirements than windows normally supports but I don't like swapping out dlls like that. I remember an admin telling me he had something like a brute force password cracker running on his dc's and every so often it would crack an account so he could go yell at the user for using too simple of a password. I want to do something like this however to combat an actual brute force I have an ago account lockout policy of 3 I don't want to change and I don't want to keep locking out everyones accounts with the cracker. How can I do this?
ASKER
Don't really have the $ to purchase something although I do like the specopps products (had my eye on them for a while). The complex requirements from windows are kind of week. Even with everything at highest levels "qwertyuiop1234567890!" would be an accepted password and ad you can see that's not very complex nor hard to figure out.
Can't you make a GPO for your devs and change the password policy there?
@DrBrookfield -- unfortunately no, in a 2000 or 2003 domain only one password policy per domain (linked at the domain level)
Didn't know that. Thanks for the heads up saves me thinking you can make a GPO and spending hours wondering why I can't ;)
ASKER
Yea the password policies are strange like that. It makes it look like you can because all those settings still show in the GPO when you try to create it. And they sort of work but they only apply to the local accounts of the computers in that OU (say the devs) not to domain accounts like most people expect them to.
I guess I'm looking for a smart password cracker. something that can try each account once go through all accounts in AD then start over with a second password 30 min after the first. this would never log more than 1 bad password against the accounts and never lock them and since it's running on my server and not from an attacher with limited time I can let it run for the day's and weeks it will take to actually get a password.
Where do I get such a tool?
I guess I'm looking for a smart password cracker. something that can try each account once go through all accounts in AD then start over with a second password 30 min after the first. this would never log more than 1 bad password against the accounts and never lock them and since it's running on my server and not from an attacher with limited time I can let it run for the day's and weeks it will take to actually get a password.
Where do I get such a tool?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Now that's more like it. Lophtcrack looks like the solution I need. And as for your security concerns smart cards are what we are using for our two factor authentication but some of our devs run things that don't support two factor authentication. And while you might think our devs are better about password security than normal users I've still found some passwords just by lifting their keyboards during my rounds. Hence my need to audit them better. I'll see if any better ideas pop up but thus looks like just what I need. Thanks.
That's what I meant, social engineering is the way, if anyone is prone to writing their passwords then it'll be no more than 1.5 m from their workstation.
I've used L0phCrack several times (several years ago) and it really was the Dogz. You get the hash tables with the more expensive version, which I'm told seriously reduces the time to cracking the password.
I've used L0phCrack several times (several years ago) and it really was the Dogz. You get the hash tables with the more expensive version, which I'm told seriously reduces the time to cracking the password.
When you get to a 2008 domain you can also take advantage of fine grained passwords (different policies for users/groups)
Thanks
Mike