Solved

Various ways to scan for weak passwords in a database  or on a comuter.

Posted on 2015-02-03
8
193 Views
Last Modified: 2015-02-04
Hi,

I have been researching the net for a tool like nessus or a standalone tool that can allow me to scan a pc,  Microsoft sql server database, or data base table that holds passwords (clear text or encrypted).  I have found a lot of articles but nothing that states: nessus can be used to scan a db or a host to determine if it stores weak passwords-this is how using this audit file or use this tool on your network to ind weak password in a DB (admin or user, schema).  another example, is there a script I can run to find weak passwords on 16 SQL servers that I can use instead of going to each. I am open to suggestions. thanks in advance.
0
Comment
Question by:cesemj
  • 5
  • 2
8 Comments
 
LVL 45

Expert Comment

by:aikimark
ID: 40587131
@cesemj

Yours is a fairly broad and very sensitive question.  Before I could even begin to help you, I need to know the context of your question.  For instance...
1. In what capacity are you working for/with the company that owns the SQL Servers?
2. How do you (or the company) define "weak password"?
3. Is there a single table in each database that stores ID/pwd combinations or multiple tables?
4. How are these ID/pwd tables defined?
5. How are these ID/pwd tables administered?
6. Are these databases for internal company use or do they support an Internet application?
7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search?
0
 

Author Comment

by:cesemj
ID: 40587213
Hi,

1. In what capacity are you working for/with the company that owns the SQL Servers? employee preparing to do a self audit as required by FISMA - looking for auditing tools.
 
2. How do you (or the company) define "weak password"? passwords that do not contain a capital letter, special character, and are less than 8 alpha numeric characters.

3. Is there a single table in each database that stores ID/pwd combinations or multiple tables? both - no standard regarding best practices. We are using FISMA to fix issues.

4. How are these ID/pwd tables defined? do you mean tblpwd with a unique id linked to the userID.

5. How are these ID/pwd tables administered? yes

6. Are these databases for internal company use or do they support an Internet application? both there are over

7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search? FISMA Regulatory requirement - existing applications and system controls do not subscribe to FISMA password complexity (as reported by an independent auditor).
0
 
LVL 45

Expert Comment

by:aikimark
ID: 40587350

FISMA related items:

* DHS databases that have accounts with default passwords, weak
password controls, missing software patches, excess user privileges, and
vulnerable functionality packages made available to users with the
“public” role.

* Strong Authentication – passwords alone provide little security. Federal smartcard
credentials, such as Personal Identity Verification (PIV) and common access cards,
provide multi-factor authentication and digital signature and encryption capabilities,
authorizing users to access Federal information systems with a higher level of
assurance.
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-04_Oct12.pdf

Do you fall under IAP?
http://www.oig.dhs.gov/assets/Mgmt/OIG_09-104_Sep09.pdf

* Require that employees use strong passwords and regularly change them.
http://www.dhs.gov/taxonomy/term/170/feed
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 45

Expert Comment

by:aikimark
ID: 40587352
The simplest approach would be to put a password filter in place that meets your criteria for strong passwords and then make everyone change their password (expire them all).
0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
ID: 40587364
Without a standard, I think you would have to scan every table in every database, looking for known userID values in plain text.  Then, you would need to look at all of these tables' data, searching for other plaintext fields that might be passwords.

If you don't find any plaintext password values, you have to work with the DBAs and application folks to find out what they do to protect their password values.  Are they salted?  Are they encrypted or hashed?  If so, what algorithm is used?

To answer your "weak" question, you would probably need to crack the passwords.  If poorly hashed (unsalted MD5 values, for instance), it might be possible to derive plain text from a HUGE list of (MD5) hash values.

As far as I know, there is no simple automated solution to your question...at least not in the white-hat world.
0
 

Author Comment

by:cesemj
ID: 40589066
Thanks for sharing your insight.
0
 
LVL 45

Expert Comment

by:aikimark
ID: 40589269
Thanks for the points.

One last thought...If you obtain a list of the 500-1000 weakest/popular passwords (123456, password, etc.), and know the encryption/hashing methods used by the different applications, you could check for matching hash values as a metric of the strength of the passwords in use at your company.  You could report the percentage of "weak" passwords found.

It is probably better to report these weakness on a server-by-server basis, since some of the servers may be MUCH worse than others.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't connect to new installation of SQL Server 2016 6 31
Sonicwall blocks a site 49 58
T-SQL:  I Want "Summary"--Not "Detail" 6 22
Help Parsing a String with SQL Syntax 23 32
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now