zman2013
asked on
Password Strength Checker
Does anyone know a good password strength checker which can be downloaded?
Thanks.
Thanks.
ASKER
browser based.
Thanks.
Thanks.
I like this site for checking password strength.
https://howsecureismypassword.net/
https://howsecureismypassword.net/
ASKER
Hi xxdcmast,
I have before posting this question. We do not want our users to go through the web and start entering their password online. We are looking for a web-based utility which can be downloaded to the local system and can be executed within the company.
Thanks for your help.
I have before posting this question. We do not want our users to go through the web and start entering their password online. We are looking for a web-based utility which can be downloaded to the local system and can be executed within the company.
Thanks for your help.
Ok, browser based.
ASP.net? vb, c#?
Do you have a web "portal" login currently that you are just trying to add password strength to?
I can give you code..
You can use a variety of options it just depends on how you are implementing it.
ASP.net? vb, c#?
Do you have a web "portal" login currently that you are just trying to add password strength to?
I can give you code..
You can use a variety of options it just depends on how you are implementing it.
Hi.
Although it is a nice idea to have users that take this offer and that do indeed think about pw security and even test their passwords, I would not recommend to believe this will be effective in terms of hardening the company's passwords. There will be too many users that just don't care.
I strongly recommend to deploy a 3rd-party password checker connected to your AD like for example Anixis password policy enforcer.
Although it is a nice idea to have users that take this offer and that do indeed think about pw security and even test their passwords, I would not recommend to believe this will be effective in terms of hardening the company's passwords. There will be too many users that just don't care.
I strongly recommend to deploy a 3rd-party password checker connected to your AD like for example Anixis password policy enforcer.
ASKER
McKnife,
Thanks for the recommendation. We are using awareness strategy as the complex password rule is implemented through AD and in terms of verifying who follows it properly, will push back. In the meantime, the awareness must go out to prepare the human brain as to what is coming next.
Thanks.
Thanks for the recommendation. We are using awareness strategy as the complex password rule is implemented through AD and in terms of verifying who follows it properly, will push back. In the meantime, the awareness must go out to prepare the human brain as to what is coming next.
Thanks.
Please allow some critique: Windows' own password complexity requirements are weak. Let's say we set the length to 8 and turn complexity on. A pw like "Your1Dog" is considered a complex password. Even "Charlie1" is considered a complex password - would you believe it?
This is not far from being a joke, if you ask me.
We need more than this, we need dictionary checks, complexity requirements that are more complex and also similarity checks. Windows does not offer those.
Microsoft offers the MBSA, a security analyzer freeware that can (amongst other functions) check password complexity without knowing or breaking the password remotely. I wonder what that tool would say to "Charlie1". I am sure it would not be called secure. Default is a length of 6, so tests should include "Tony12".
This is not far from being a joke, if you ask me.
We need more than this, we need dictionary checks, complexity requirements that are more complex and also similarity checks. Windows does not offer those.
Microsoft offers the MBSA, a security analyzer freeware that can (amongst other functions) check password complexity without knowing or breaking the password remotely. I wonder what that tool would say to "Charlie1". I am sure it would not be called secure. Default is a length of 6, so tests should include "Tony12".
ASKER
Thanks McKnife.
Purchasing Anixi is the last stage of success, but the management is not buying into it. The support is needed from the user community in investing money to purchase Anixi's password policy enforcer. The awareness communication is to make users understand the meaning of complex password and threat of a breach a weak password poses. Management knows that AD offers complex password option but what does it means; this is the battle.
Purchasing Anixi is the last stage of success, but the management is not buying into it. The support is needed from the user community in investing money to purchase Anixi's password policy enforcer. The awareness communication is to make users understand the meaning of complex password and threat of a breach a weak password poses. Management knows that AD offers complex password option but what does it means; this is the battle.
Ok, my last try:
You could use the website mentioned by xxdcmast offline. Yes, https://howsecureismypassword.net/ works offline, I just tried it on a pc without internet connection. So save it as .mht file (from internet explorer) and there you go. You could share that .mht file on any type of server.
Thing is: this check is not very good. It will not use dictionary attacks that are intelligent. Example: take the pw H3ll0W0rld - it says, it will take 6 years to crack it on a desktop computer. Bulls***. The pw H3ll0W0rld is HelloWorld slightly altered. Any better dictionary attack would break it in a very short time if not in seconds. So be careful if you trust this. Again: Anixis would not see H3ll0W0rld as strong.
Also have a look at the warning on that website:
This site could be stealing your password... it's not, but it easily could be.
Be careful where you type your password.
Of course this can happen with locally installed software, too! Use it only on computers without internet access. If you host it, the host must not have internet access.
You could use the website mentioned by xxdcmast offline. Yes, https://howsecureismypassword.net/ works offline, I just tried it on a pc without internet connection. So save it as .mht file (from internet explorer) and there you go. You could share that .mht file on any type of server.
Thing is: this check is not very good. It will not use dictionary attacks that are intelligent. Example: take the pw H3ll0W0rld - it says, it will take 6 years to crack it on a desktop computer. Bulls***. The pw H3ll0W0rld is HelloWorld slightly altered. Any better dictionary attack would break it in a very short time if not in seconds. So be careful if you trust this. Again: Anixis would not see H3ll0W0rld as strong.
Also have a look at the warning on that website:
This site could be stealing your password... it's not, but it easily could be.
Be careful where you type your password.
Of course this can happen with locally installed software, too! Use it only on computers without internet access. If you host it, the host must not have internet access.
..you can modify the password complexity for windows using Group Policy editor.
You can do this as a domain policy as well as a local policy.
The domain policy will apply to domain accounts while the local policy will apply to local accounts.
http://technet.microsoft.com/en-us/library/cc875814.aspx
You can do this as a domain policy as well as a local policy.
The domain policy will apply to domain accounts while the local policy will apply to local accounts.
http://technet.microsoft.com/en-us/library/cc875814.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
zman, how will you proceed? I am interested.
@Richrumble
@Richrumble
What if I told you your password is in memory, at all times, ready to be retrieved if you know where to look? Look up Mimikatz or Windows Credential Editor.I know what mimikatz does, but who cares? The attack needs admin privileges and elevation. This is no way to get your hands on a password unless the user cooperates. And if he (UAC-wise) cooperates - why need his password, have him acknowledge your script to create your own admin.
My mimikatz/wce comments are not well placed, just a reminder. Also UAC is no factor.
Admin is needed (or elevation if you're less than admin), but using procdump on the lsass.exe process is all you need, a minidump of that process. http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html You can also use task-manager to create a minidump(have to be admin, no uac), and lot's of 3rd party tools. XP has one too built in ntsd.exe that can make a minidump. Then copy the minidump to the machine with mimikatz, recover the most complex/lengthy passwords in < 1minute, virtually undetectable as you're using system process and or M$ software to get at the data.
I'll stop there :)
Again I think strength meters are nice for "fell good" security, there are lots of other factors to consider. Password policies can add and even subtract from password security: http://openwall.info/wiki/john/policy
-rich
Admin is needed (or elevation if you're less than admin), but using procdump on the lsass.exe process is all you need, a minidump of that process. http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html You can also use task-manager to create a minidump(have to be admin, no uac), and lot's of 3rd party tools. XP has one too built in ntsd.exe that can make a minidump. Then copy the minidump to the machine with mimikatz, recover the most complex/lengthy passwords in < 1minute, virtually undetectable as you're using system process and or M$ software to get at the data.
I'll stop there :)
Again I think strength meters are nice for "fell good" security, there are lots of other factors to consider. Password policies can add and even subtract from password security: http://openwall.info/wiki/john/policy
-rich
Mimikatz would be a relevant attack if an attacker could trick a user to use a script which would get the plain text pw and then do whatever with it. But: if UAC is on, this does not work without confirming UAC prompts. Mimikatz's website says it: the debug privilege is needed and that priv is stripped from the administrator token unless we run as elevated admin. So I see no dangerous attack here.
Script?
..how will you be using it?