Solved

Various ways to scan for weak passwords in a database  or on a comuter.

Posted on 2015-02-03
8
192 Views
Last Modified: 2015-02-04
Hi,

I have been researching the net for a tool like nessus or a standalone tool that can allow me to scan a pc,  Microsoft sql server database, or data base table that holds passwords (clear text or encrypted).  I have found a lot of articles but nothing that states: nessus can be used to scan a db or a host to determine if it stores weak passwords-this is how using this audit file or use this tool on your network to ind weak password in a DB (admin or user, schema).  another example, is there a script I can run to find weak passwords on 16 SQL servers that I can use instead of going to each. I am open to suggestions. thanks in advance.
0
Comment
Question by:cesemj
  • 5
  • 2
8 Comments
 
LVL 45

Expert Comment

by:aikimark
Comment Utility
@cesemj

Yours is a fairly broad and very sensitive question.  Before I could even begin to help you, I need to know the context of your question.  For instance...
1. In what capacity are you working for/with the company that owns the SQL Servers?
2. How do you (or the company) define "weak password"?
3. Is there a single table in each database that stores ID/pwd combinations or multiple tables?
4. How are these ID/pwd tables defined?
5. How are these ID/pwd tables administered?
6. Are these databases for internal company use or do they support an Internet application?
7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search?
0
 

Author Comment

by:cesemj
Comment Utility
Hi,

1. In what capacity are you working for/with the company that owns the SQL Servers? employee preparing to do a self audit as required by FISMA - looking for auditing tools.
 
2. How do you (or the company) define "weak password"? passwords that do not contain a capital letter, special character, and are less than 8 alpha numeric characters.

3. Is there a single table in each database that stores ID/pwd combinations or multiple tables? both - no standard regarding best practices. We are using FISMA to fix issues.

4. How are these ID/pwd tables defined? do you mean tblpwd with a unique id linked to the userID.

5. How are these ID/pwd tables administered? yes

6. Are these databases for internal company use or do they support an Internet application? both there are over

7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search? FISMA Regulatory requirement - existing applications and system controls do not subscribe to FISMA password complexity (as reported by an independent auditor).
0
 
LVL 45

Expert Comment

by:aikimark
Comment Utility

FISMA related items:

* DHS databases that have accounts with default passwords, weak
password controls, missing software patches, excess user privileges, and
vulnerable functionality packages made available to users with the
“public” role.

* Strong Authentication – passwords alone provide little security. Federal smartcard
credentials, such as Personal Identity Verification (PIV) and common access cards,
provide multi-factor authentication and digital signature and encryption capabilities,
authorizing users to access Federal information systems with a higher level of
assurance.
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-04_Oct12.pdf

Do you fall under IAP?
http://www.oig.dhs.gov/assets/Mgmt/OIG_09-104_Sep09.pdf

* Require that employees use strong passwords and regularly change them.
http://www.dhs.gov/taxonomy/term/170/feed
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 45

Expert Comment

by:aikimark
Comment Utility
The simplest approach would be to put a password filter in place that meets your criteria for strong passwords and then make everyone change their password (expire them all).
0
 
LVL 45

Accepted Solution

by:
aikimark earned 500 total points
Comment Utility
Without a standard, I think you would have to scan every table in every database, looking for known userID values in plain text.  Then, you would need to look at all of these tables' data, searching for other plaintext fields that might be passwords.

If you don't find any plaintext password values, you have to work with the DBAs and application folks to find out what they do to protect their password values.  Are they salted?  Are they encrypted or hashed?  If so, what algorithm is used?

To answer your "weak" question, you would probably need to crack the passwords.  If poorly hashed (unsalted MD5 values, for instance), it might be possible to derive plain text from a HUGE list of (MD5) hash values.

As far as I know, there is no simple automated solution to your question...at least not in the white-hat world.
0
 

Author Comment

by:cesemj
Comment Utility
Thanks for sharing your insight.
0
 
LVL 45

Expert Comment

by:aikimark
Comment Utility
Thanks for the points.

One last thought...If you obtain a list of the 500-1000 weakest/popular passwords (123456, password, etc.), and know the encryption/hashing methods used by the different applications, you could check for matching hash values as a metric of the strength of the passwords in use at your company.  You could report the percentage of "weak" passwords found.

It is probably better to report these weakness on a server-by-server basis, since some of the servers may be MUCH worse than others.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Viewers will learn how the fundamental information of how to create a table.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now