Stop simple passwords

charles_dilger
charles_dilger used Ask the Experts™
on
I run an AD domain (Server 2003 native) with a few hundred users. I've moved all the accounts I can away from passwords over to 2 factor authentication but some people, such as devopers, need to do things that still require good old fashion passwords. For these guys I have fairly stiff password requirements (14 char, complex, remember last 10, change every 30 days etc.). However I'm still worried some some people are using passwords too easy, like keyboard walks or a short word 4 times etc. I know there are ways of using custom Ella to force stronger password requirements than windows normally supports but I don't like swapping out dlls like that. I remember an admin telling me he had something like a brute force password cracker running on his dc's and every so often it would crack an account so he could go yell at the user for using too simple of a password. I want to do something like this however to combat an actual brute force I have an ago account lockout policy of 3 I don't want to change and I don't want to keep locking out everyones accounts with the cracker. How can I do this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
If you have the password policy set at the domain level and have it like you stated then they are not going to be able to use simple passwords.  Also if you want different policies you can use a third party tool (instead of trying to do it yourself)    http://www.specopssoft.com/products/specops-password-policy

When you get to a 2008 domain you can also take advantage of fine grained passwords (different policies for users/groups)

Thanks

Mike

Author

Commented:
Don't really have the $ to purchase something although I do like the specopps products (had my eye on them for a while). The complex requirements from windows are kind of week. Even with everything at highest levels "qwertyuiop1234567890!" would be an accepted password and ad you can see that's not very complex nor hard to figure out.
Can't you make a GPO for your devs and change the password policy there?
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2013

Commented:
@DrBrookfield -- unfortunately no, in a 2000 or 2003 domain only one password policy per domain (linked at the domain level)
Didn't know that. Thanks for the heads up saves me thinking you can make a GPO and spending hours wondering why I can't ;)

Author

Commented:
Yea the password policies are strange like that. It makes it look like you can because all those settings still show in the GPO when you try to create it. And they sort of work but they only apply to the local accounts of the computers in that OU (say the devs) not to domain accounts like most people expect them to.

I guess I'm looking for a smart password cracker. something that can try each account once go through all accounts in AD then start over with a second password 30 min after the first. this would never log more than 1 bad password against the accounts and never lock them and since it's running on my server and not from an attacher with limited time I can let it run for the day's and weeks it will take to actually get a password.

Where do I get such a tool?
Opps yes forgot this is what you were after, I used L0phtCrack years ago for exactly this.

http://www.l0phtcrack.com/

Now I'm not sure about this version I usd V 4 or 5 I think and then it went missing, I heard that symantec bought them out but apparently they're back in business.

One thing though if security is such a big thing in your organisation, shouldn't you be looking at smart cards or some such?

Remembering long complex passwords every 30 days will increase the chance that your users will just write the password down and put it on their workstation somewhere, it's human nature. I guarrentee you walk round your workstations you'll find it written somewhere, plus you'll have someone using the same pasword but just changing the number at the end or some such, which breaks your security.
Manch3sterUnited1 becomes Manch3sterUnited2 etc etc.. eaqsily broken once you know someone's system.
 

My two pennies.




Author

Commented:
Now that's more like it. Lophtcrack looks like the solution I need. And as for your security concerns smart cards are what we are using for our two factor authentication but some of our devs run things that don't support two factor authentication. And while you might think our devs are better about password security than normal users I've still found some passwords just by lifting their keyboards during my rounds. Hence my need to audit them better. I'll see if any better ideas pop up but thus looks like just what I need. Thanks.
That's what I meant, social engineering is the way, if anyone is prone to writing their passwords then it'll be no more than 1.5 m from their workstation.

I've used L0phCrack several times (several years ago) and it really was the Dogz. You get the hash tables with the more expensive version, which I'm told seriously reduces the time to cracking the password.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial