Password Strength Checker

Does anyone know a good password strength checker which can be downloaded?
Thanks.
zman2013Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
You want a command line utility?
Script?

..how will you be using it?
0
zman2013Author Commented:
browser based.
Thanks.
0
Joseph DalyCommented:
I like this site for checking password strength.
https://howsecureismypassword.net/
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

zman2013Author Commented:
Hi xxdcmast,

I have before posting this question.  We do not want our users to go through the web and start entering their password online.  We are looking for a web-based utility which can be downloaded to the local system and can be executed within the company.

Thanks for your help.
0
Ron MalmsteadInformation Services ManagerCommented:
Ok, browser based.
ASP.net?  vb, c#?
Do you have a web "portal" login currently that you are just trying to add password strength to?

I can give you code..
You can use a variety of options it just depends on how you are implementing it.
0
McKnifeCommented:
Hi.

Although it is a nice idea to have users that take this offer and that do indeed think about pw security and even test their passwords, I would not recommend to believe this will be effective in terms of hardening the company's passwords. There will be too many users that just don't care.
I strongly recommend to deploy a 3rd-party password checker connected to your AD like for example Anixis password policy enforcer.
0
zman2013Author Commented:
McKnife,

Thanks for the recommendation.  We are using awareness strategy as the complex password rule is implemented through AD and in terms of verifying who follows it properly, will push back.  In the meantime, the awareness must go out to prepare the human brain as to what is coming next.

Thanks.
0
McKnifeCommented:
Please allow some critique: Windows' own password complexity requirements are weak. Let's say we set the length to 8 and turn complexity on. A pw like "Your1Dog" is considered a complex password. Even "Charlie1" is considered a complex password - would you believe it?
This is not far from being a joke, if you ask me.

We need more than this, we need dictionary checks, complexity requirements that are more complex and also similarity checks. Windows does not offer those.

Microsoft offers the MBSA, a security analyzer freeware that can (amongst other functions) check password complexity without knowing or breaking the password remotely. I wonder what that tool would say to "Charlie1". I am sure it would not be called secure. Default is a length of 6, so tests should include "Tony12".
0
zman2013Author Commented:
Thanks McKnife.  
Purchasing Anixi is the last stage of success, but the management is not buying into it.  The support is needed from the user community in investing money to purchase Anixi's password policy enforcer.  The awareness communication is to make users understand the meaning of complex password and threat of a breach a weak password poses.  Management knows that AD offers complex password option but what does it means; this is the battle.
0
McKnifeCommented:
Ok, my last try:

You could use the website mentioned by xxdcmast offline. Yes, https://howsecureismypassword.net/ works offline, I just tried it on a pc without internet connection. So save it as .mht file (from internet explorer) and there you go. You could share that .mht file on any type of server.
Thing is: this check is not very good. It will not use dictionary attacks that are intelligent. Example: take the pw H3ll0W0rld - it says, it will take 6 years to crack it on a desktop computer. Bulls***. The pw H3ll0W0rld is HelloWorld slightly altered. Any better dictionary attack would break it in a very short time if not in seconds. So be careful if you trust this. Again: Anixis would not see H3ll0W0rld as strong.

Also have a look at the warning on that website:
This site could be stealing your password... it's not, but it easily could be.
Be careful where you type your password.

Of course this can happen with locally installed software, too! Use it only on computers without internet access. If you host it, the host must not have internet access.
0
Ron MalmsteadInformation Services ManagerCommented:
..you can modify the password complexity for windows using Group Policy editor.
You can do this as a domain policy as well as a local policy.
The domain policy will apply to domain accounts while the local policy will apply to local accounts.

http://technet.microsoft.com/en-us/library/cc875814.aspx
0
Rich RumbleSecurity SamuraiCommented:
Password checkers don't work, not these days, and esp for windows. What if I told you your password is in memory, at all times, ready to be retrieved if you know where to look? Look up Mimikatz or Windows Credential Editor.

Further, LM/NTLM and Kerberos key exchange, are "fast" hashes, meaning you can try millions of them per second. So H3ll0W0rld is very weak. Anything under 14 characters (NTLM) will fall in 1 day or less with some rigs. Bruteforce is not used typically, there are better ways than iterating over all possible combinations aaa, aab, aac, aad, aae etc... No one does that, instead the use Markov models or Trigraph frequencies (rstlne) to try more plausible passwords.

This article explains it better:
http://arstechnica.com/security/2013/05/its-official-password-strength-meters-arent-security-theater/

So it depends on your PW meter's understanding of passwords. If you can measure user passwords against other strong, and slow hash types, the better the password.

Check out the CrackMeIfYouCan challenges from Korelogic to see how cracking passwords in the real-world is done, and how they crack the toughest passwords. The longer the better, the more they are not like real words the better. But substituting numbers for letters is poor.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zman2013Author Commented:
Thanks.
0
McKnifeCommented:
zman, how will you proceed? I am interested.
@Richrumble
What if I told you your password is in memory, at all times, ready to be retrieved if you know where to look? Look up Mimikatz or Windows Credential Editor.
I know what mimikatz does, but who cares? The attack needs admin privileges and elevation. This is no way to get your hands on a password unless the user cooperates. And if he (UAC-wise) cooperates - why need his password, have him acknowledge your script to create your own admin.
0
Rich RumbleSecurity SamuraiCommented:
My mimikatz/wce comments are not well placed, just a reminder. Also UAC is no factor.
Admin is needed (or elevation if you're less than admin), but using procdump on the lsass.exe process is all you need, a minidump of that process. http://carnal0wnage.attackresearch.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html You can also use task-manager to create a minidump(have to be admin, no uac), and lot's of 3rd party tools. XP has one too built in ntsd.exe that can make a minidump. Then copy the minidump to the machine with mimikatz, recover the most complex/lengthy passwords in < 1minute, virtually undetectable as you're using system process and or M$ software to get at the data.
I'll stop there :)
Again I think strength meters are nice for "fell good" security, there are lots of other factors to consider. Password policies can add and even subtract from password security: http://openwall.info/wiki/john/policy
-rich
0
McKnifeCommented:
Mimikatz would be a relevant attack if an attacker could trick a user to use a script which would get the plain text pw and then do whatever with it. But: if UAC is on, this does not work without confirming UAC prompts. Mimikatz's website says it: the debug privilege is needed and that priv is stripped from the administrator token unless we run as elevated admin. So I see no dangerous attack here.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.