Link to home
Start Free TrialLog in
Avatar of cawasaki

asked on

extract the password hashes of all users in Active directory= are its safe?


Currently we are working on a monthly internal security test which among other should contain a verification of the real password strength the users choose. For this reason security team ask me to extract the password hashes of all users via LDAP.

what the security team want to do is extracting the hashes though we can run a syllable attack against them to verify if the passwords are really or just technically good.

is this method good and safe, I'm afraid the hash go in the wrong hand.
Avatar of McKnife
Flag of Germany image

I recommend to look at this article:¬ificationFollowed=213945133#c2262812
It explains how to do such a check yourself, you don't need to give it to them.
Avatar of cawasaki


ok what i can say to my security team and explain that its bad to export user hashes
As said, it's not too complicated to do that check yourself - you don't need to trust a 3rd party here, so don't do it.

Allowing access to Hashes via LDAP is also a horrible idea. Normally, only Domain Controllers have access to the hash data for accounts. This is an important security configuration that you should not change. There are applications, tools (like Mc Knife referenced), but hash checks/extraction should not be done remotely. Allowing remote access to hashes would make it very very easy for an intruder to escalate privileges. 

Is the 3rd party a reputable security company?  Are they going to delete the hashes afterwards and make sure no hash is available for attackers or others to copy off their systems.

If you want to do it yourself.  You just need to download the 11GB of  hashes from haveibeenpwned and compare them with your users' hashes.  Any hashes found to be on the list means the user with that hash should change their password immediately.
Next you run a password cracker and see if any hashes were easier than expected to crack.
is this method good and safe,
This method is something common that a hacker would take, so I can understand why the request.

I'm afraid the hash go in the wrong hand.
If the security team itself is making the request, then make sure that you have it in writing. If you feel uncomfortable with it, don't be afraid to go to your manager. If a 3rd party is requesting it, make sure you have in writing that they're authorized to get those hashes from the security team. That way, if anything happens, you have documentation. In either scenario, the responsibility falls on the security team as they're the ones authorizing things.

I'm a security person, and I would recommend against the exact path here. One time (or even annually) as part of an audit or exercise is one thing, but on the monthly basis? I get the spirit of what they want to do, but what would make more sense is actually enforcing a strong password policy. Users should be changing their passwords every so often anyway, so a better policy should be able to get enforced. Besides, with all of the reporting tools available for AD, you should be able to audit all sorts of *other* things very easily.

Example: A stronger password policy got implemented yesterday. Assuming that the time between password changes is 90 days, you know that all of the accounts within that policy should be in compliance after about 91 days (the few that haven't been changed should be forced to get changed).

the problem today with Active directory password policy i dont have a way to applicate a specific policy.

for exemple, my actual policy is 12 character and 90 days to change password but some user can choose this type off password:

if the compagny name is Contoso, same user choose password like:

after 90 days


any way to prohibit some word?
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can't do quite that much fine tuning of password requirements with just AD.  You could get something like Password Policy Enforcer and set stricter requirements.
As for changing passwords every 90 days, that's a terrible idea.  I've don't believe in that and mainly run password crackers on my password hashes and forced people to change passwords if they were cracked.  If the passwords are strong enough, then you shouldn't have to force any sort of change.  Forcing users to change passwords that frequently just causes them to make easier passwords and do repetitive sequences.  It's easy enough to change your password 12 times or 20 times in 20 days to get your original password back.  I'd rather they set a strong password to start, at least during this narrow few years left before quantum computing really arrives on the scene to make current password access schemas entirely moot.

If you're still interested in testing for password, you can do it yourself and download all the password hashes from
The NTLM version 5 hash is 7.63 GB and you can use that set to compare hashes with user hashes.  If any hashes match something in that hash list, the users should be forced to change their passwords immediately.

That's just the initial test.  You should also run a brute force password cracker on your user accounts.
@mcknife sorry,  Didn't see your post about anixis until after I posted.  No points for my post on that subject please.