Various ways to scan for weak passwords in a database or on a comuter.

Hi,

I have been researching the net for a tool like nessus or a standalone tool that can allow me to scan a pc,  Microsoft sql server database, or data base table that holds passwords (clear text or encrypted).  I have found a lot of articles but nothing that states: nessus can be used to scan a db or a host to determine if it stores weak passwords-this is how using this audit file or use this tool on your network to ind weak password in a DB (admin or user, schema).  another example, is there a script I can run to find weak passwords on 16 SQL servers that I can use instead of going to each. I am open to suggestions. thanks in advance.
cesemjAsked:
Who is Participating?
 
aikimarkConnect With a Mentor Commented:
Without a standard, I think you would have to scan every table in every database, looking for known userID values in plain text.  Then, you would need to look at all of these tables' data, searching for other plaintext fields that might be passwords.

If you don't find any plaintext password values, you have to work with the DBAs and application folks to find out what they do to protect their password values.  Are they salted?  Are they encrypted or hashed?  If so, what algorithm is used?

To answer your "weak" question, you would probably need to crack the passwords.  If poorly hashed (unsalted MD5 values, for instance), it might be possible to derive plain text from a HUGE list of (MD5) hash values.

As far as I know, there is no simple automated solution to your question...at least not in the white-hat world.
0
 
aikimarkCommented:
@cesemj

Yours is a fairly broad and very sensitive question.  Before I could even begin to help you, I need to know the context of your question.  For instance...
1. In what capacity are you working for/with the company that owns the SQL Servers?
2. How do you (or the company) define "weak password"?
3. Is there a single table in each database that stores ID/pwd combinations or multiple tables?
4. How are these ID/pwd tables defined?
5. How are these ID/pwd tables administered?
6. Are these databases for internal company use or do they support an Internet application?
7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search?
0
 
cesemjAuthor Commented:
Hi,

1. In what capacity are you working for/with the company that owns the SQL Servers? employee preparing to do a self audit as required by FISMA - looking for auditing tools.
 
2. How do you (or the company) define "weak password"? passwords that do not contain a capital letter, special character, and are less than 8 alpha numeric characters.

3. Is there a single table in each database that stores ID/pwd combinations or multiple tables? both - no standard regarding best practices. We are using FISMA to fix issues.

4. How are these ID/pwd tables defined? do you mean tblpwd with a unique id linked to the userID.

5. How are these ID/pwd tables administered? yes

6. Are these databases for internal company use or do they support an Internet application? both there are over

7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search? FISMA Regulatory requirement - existing applications and system controls do not subscribe to FISMA password complexity (as reported by an independent auditor).
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
aikimarkCommented:

FISMA related items:

* DHS databases that have accounts with default passwords, weak
password controls, missing software patches, excess user privileges, and
vulnerable functionality packages made available to users with the
“public” role.

* Strong Authentication – passwords alone provide little security. Federal smartcard
credentials, such as Personal Identity Verification (PIV) and common access cards,
provide multi-factor authentication and digital signature and encryption capabilities,
authorizing users to access Federal information systems with a higher level of
assurance.
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-04_Oct12.pdf

Do you fall under IAP?
http://www.oig.dhs.gov/assets/Mgmt/OIG_09-104_Sep09.pdf

* Require that employees use strong passwords and regularly change them.
http://www.dhs.gov/taxonomy/term/170/feed
0
 
aikimarkCommented:
The simplest approach would be to put a password filter in place that meets your criteria for strong passwords and then make everyone change their password (expire them all).
0
 
cesemjAuthor Commented:
Thanks for sharing your insight.
0
 
aikimarkCommented:
Thanks for the points.

One last thought...If you obtain a list of the 500-1000 weakest/popular passwords (123456, password, etc.), and know the encryption/hashing methods used by the different applications, you could check for matching hash values as a metric of the strength of the passwords in use at your company.  You could report the percentage of "weak" passwords found.

It is probably better to report these weakness on a server-by-server basis, since some of the servers may be MUCH worse than others.
0
All Courses

From novice to tech pro — start learning today.