Link to home
Start Free TrialLog in
Avatar of cesemj
cesemj

asked on

Various ways to scan for weak passwords in a database or on a comuter.

Hi,

I have been researching the net for a tool like nessus or a standalone tool that can allow me to scan a pc,  Microsoft sql server database, or data base table that holds passwords (clear text or encrypted).  I have found a lot of articles but nothing that states: nessus can be used to scan a db or a host to determine if it stores weak passwords-this is how using this audit file or use this tool on your network to ind weak password in a DB (admin or user, schema).  another example, is there a script I can run to find weak passwords on 16 SQL servers that I can use instead of going to each. I am open to suggestions. thanks in advance.
Avatar of aikimark
aikimark
Flag of United States of America image

@cesemj

Yours is a fairly broad and very sensitive question.  Before I could even begin to help you, I need to know the context of your question.  For instance...
1. In what capacity are you working for/with the company that owns the SQL Servers?
2. How do you (or the company) define "weak password"?
3. Is there a single table in each database that stores ID/pwd combinations or multiple tables?
4. How are these ID/pwd tables defined?
5. How are these ID/pwd tables administered?
6. Are these databases for internal company use or do they support an Internet application?
7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search?
Avatar of cesemj
cesemj

ASKER

Hi,

1. In what capacity are you working for/with the company that owns the SQL Servers? employee preparing to do a self audit as required by FISMA - looking for auditing tools.
 
2. How do you (or the company) define "weak password"? passwords that do not contain a capital letter, special character, and are less than 8 alpha numeric characters.

3. Is there a single table in each database that stores ID/pwd combinations or multiple tables? both - no standard regarding best practices. We are using FISMA to fix issues.

4. How are these ID/pwd tables defined? do you mean tblpwd with a unique id linked to the userID.

5. How are these ID/pwd tables administered? yes

6. Are these databases for internal company use or do they support an Internet application? both there are over

7. Do you (or the company) suspect there are "weak" passwords, that "weak" passwords have already caused a problem, or some other motivation for your search? FISMA Regulatory requirement - existing applications and system controls do not subscribe to FISMA password complexity (as reported by an independent auditor).

FISMA related items:

* DHS databases that have accounts with default passwords, weak
password controls, missing software patches, excess user privileges, and
vulnerable functionality packages made available to users with the
“public” role.

* Strong Authentication – passwords alone provide little security. Federal smartcard
credentials, such as Personal Identity Verification (PIV) and common access cards,
provide multi-factor authentication and digital signature and encryption capabilities,
authorizing users to access Federal information systems with a higher level of
assurance.
http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-04_Oct12.pdf

Do you fall under IAP?
http://www.oig.dhs.gov/assets/Mgmt/OIG_09-104_Sep09.pdf

* Require that employees use strong passwords and regularly change them.
http://www.dhs.gov/taxonomy/term/170/feed
The simplest approach would be to put a password filter in place that meets your criteria for strong passwords and then make everyone change their password (expire them all).
ASKER CERTIFIED SOLUTION
Avatar of aikimark
aikimark
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cesemj

ASKER

Thanks for sharing your insight.
Thanks for the points.

One last thought...If you obtain a list of the 500-1000 weakest/popular passwords (123456, password, etc.), and know the encryption/hashing methods used by the different applications, you could check for matching hash values as a metric of the strength of the passwords in use at your company.  You could report the percentage of "weak" passwords found.

It is probably better to report these weakness on a server-by-server basis, since some of the servers may be MUCH worse than others.