Solved

Various ways to scan for weak passwords in a database  or on a comuter.

Posted on 2015-02-03
8
202 Views
Last Modified: 2015-02-04
Hi,

I have been researching the net for a tool like nessus or a standalone tool that can allow me to scan a pc,  Microsoft sql server database, or data base table that holds passwords (clear text or encrypted).  I have found a lot of articles but nothing that states: nessus can be used to scan a db or a host to determine if it stores weak passwords-this is how using this audit file or use this tool on your network to ind weak password in a DB (admin or user, schema).  another example, is there a script I can run to find weak passwords on 16 SQL servers that I can use instead of going to each. I am open to suggestions. thanks in advance.
0
Comment
Question by:cesemj
  • 5
  • 2
8 Comments
 
LVL 45

Expert Comment

by:aikimark
ID: 40587131
@cesemj

Yours is a fairly broad and very sensitive question.  Before I could even begin to help you, I need to know the context of your question.  For instance...
1. In what capacity are you working for/with the company that owns the SQL Servers?
2. How do you (or the company) define "weak password"?
3. Is there a single table in each database that stores ID/pwd combinations or multiple tables?
4. How are these ID/pwd tables defined?
5. How are these ID/pwd tables administered?
6. Are these databases for internal company use or do they support an Internet application?
7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search?
0
 

Author Comment

by:cesemj
ID: 40587213
Hi,

1. In what capacity are you working for/with the company that owns the SQL Servers? employee preparing to do a self audit as required by FISMA - looking for auditing tools.
 
2. How do you (or the company) define "weak password"? passwords that do not contain a capital letter, special character, and are less than 8 alpha numeric characters.

3. Is there a single table in each database that stores ID/pwd combinations or multiple tables? both - no standard regarding best practices. We are using FISMA to fix issues.

4. How are these ID/pwd tables defined? do you mean tblpwd with a unique id linked to the userID.

5. How are these ID/pwd tables administered? yes

6. Are these databases for internal company use or do they support an Internet application? both there are over

7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search? FISMA Regulatory requirement - existing applications and system controls do not subscribe to FISMA password complexity (as reported by an independent auditor).
0
 
LVL 45

Expert Comment

by:aikimark
ID: 40587350

FISMA related items:

* DHS databases that have accounts with default passwords, weak
password controls, missing software patches, excess user privileges, and
vulnerable functionality packages made available to users with the
“public” role.

* Strong Authentication – passwords alone provide little security. Federal smartcard
credentials, such as Personal Identity Verification (PIV) and common access cards,
provide multi-factor authentication and digital signature and encryption capabilities,
authorizing users to access Federal information systems with a higher level of
assurance.
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-04_Oct12.pdf

Do you fall under IAP?
http://www.oig.dhs.gov/assets/Mgmt/OIG_09-104_Sep09.pdf

* Require that employees use strong passwords and regularly change them.
http://www.dhs.gov/taxonomy/term/170/feed
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 45

Expert Comment

by:aikimark
ID: 40587352
The simplest approach would be to put a password filter in place that meets your criteria for strong passwords and then make everyone change their password (expire them all).
0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
ID: 40587364
Without a standard, I think you would have to scan every table in every database, looking for known userID values in plain text.  Then, you would need to look at all of these tables' data, searching for other plaintext fields that might be passwords.

If you don't find any plaintext password values, you have to work with the DBAs and application folks to find out what they do to protect their password values.  Are they salted?  Are they encrypted or hashed?  If so, what algorithm is used?

To answer your "weak" question, you would probably need to crack the passwords.  If poorly hashed (unsalted MD5 values, for instance), it might be possible to derive plain text from a HUGE list of (MD5) hash values.

As far as I know, there is no simple automated solution to your question...at least not in the white-hat world.
0
 

Author Comment

by:cesemj
ID: 40589066
Thanks for sharing your insight.
0
 
LVL 45

Expert Comment

by:aikimark
ID: 40589269
Thanks for the points.

One last thought...If you obtain a list of the 500-1000 weakest/popular passwords (123456, password, etc.), and know the encryption/hashing methods used by the different applications, you could check for matching hash values as a metric of the strength of the passwords in use at your company.  You could report the percentage of "weak" passwords found.

It is probably better to report these weakness on a server-by-server basis, since some of the servers may be MUCH worse than others.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question