Hi, Is it possible to test our AD for weak passwords? We have set max password age, and password complexity etc. However, we would like to know that the passwords that are CURRENTLY still in the system are good or weak. Perhaps some kind of tool to test dictionary passwords etc, but preferably locally on the /var/lib/samba databases to not lockout the accounts due to too many failed passwords. Suggestions?
On 06/10/15 13:32, mourik jan c heupink wrote:> Hi, > > Is it possible to test our AD for weak passwords? > > We have set max password age, and password complexity etc. However, we > would like to know that the passwords that are CURRENTLY still in the > system are good or weak. > > Perhaps some kind of tool to test dictionary passwords etc, but > preferably locally on the /var/lib/samba databases to not lockout the > accounts due to too many failed passwords. > > Suggestions? >Why test, just make everybody change their password at next login, this way they will be complex passwords. :-) Rowland
But the issue is: we have many users that do not login locally using windows-workstations, but instead use variour kinds of remote access, like web interfaces, email, vpn, etc, etc. I am not sure what would happen with those services, if I would set accounts to 'change password on next logon'... I know this would work in the case of 'regular' 'interactive logons' as I think samba logs call them.. MJ On 6-10-2015 14:47, Rowland Penny wrote:> On 06/10/15 13:32, mourik jan c heupink wrote: >> Hi, >> >> Is it possible to test our AD for weak passwords? >> >> We have set max password age, and password complexity etc. However, we >> would like to know that the passwords that are CURRENTLY still in the >> system are good or weak. >> >> Perhaps some kind of tool to test dictionary passwords etc, but >> preferably locally on the /var/lib/samba databases to not lockout the >> accounts due to too many failed passwords. >> >> Suggestions? >> > > Why test, just make everybody change their password at next login, this > way they will be complex passwords. :-) > > Rowland > >
Hello Mourik, Am 06.10.2015 um 14:32 schrieb mourik jan c heupink:> Is it possible to test our AD for weak passwords? > ... > Perhaps some kind of tool to test dictionary passwords etcThe passwords are stored as an encrypted NT hash. You can't decrypt them. And to lookup the hashes in databases with cleartext strings or try to brute force, would make you - at least here - directly unemployed! ;-) I think the best is, what Rowland has already suggested: Force all users to set their passwords at the next login. Combined with a password history, a good minimum length and minimum age, it's the best you can do. However even if you enable all that, this doesn't prevent users from choosing stupid passwords: "January2015", "February2015", "March2015",... They are all valid, because they meet the minimum 3 of the 5 character categories (https://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx) and they won't even get in conflict with the password history policy. Regards, Marc
Hi Rowland and Marc, Thanks for your responses. I guess I'll take your advise then. :-) MJ
BOFH! On 06/10/15 23:47, Rowland Penny wrote:> On 06/10/15 13:32, mourik jan c heupink wrote: >> Hi, >> >> Is it possible to test our AD for weak passwords? >> >> We have set max password age, and password complexity etc. However, >> we would like to know that the passwords that are CURRENTLY still in >> the system are good or weak. >> >> Perhaps some kind of tool to test dictionary passwords etc, but >> preferably locally on the /var/lib/samba databases to not lockout the >> accounts due to too many failed passwords. >> >> Suggestions? >> > > Why test, just make everybody change their password at next login, > this way they will be complex passwords. :-) > > Rowland > >
mourik jan c heupink <heupink at merit.unu.edu> writes:> Perhaps some kind of tool to test dictionary passwords etc, but > preferably locally on the /var/lib/samba databases to not lockout the > accounts due to too many failed passwords. > > Suggestions?I am running a password cracking tool on my authentication server (LDAP though), anytime there is a change in the LDAP directory, the tool is launched. I am using an *old* tool, namely Crack v5.0 by Alec Muffet, that I have modified to use MD5 (it was written originally to use crypt on a generic /etc/passwd file). It is slow, but I have it running only on the subset of the LDAP that has been modified and as it run in background, I don't really care. At the begining of each run, I will extract the information from LDAP and generate a pseudo /etc/password file and compare to the one generated in the previous run. Only the lines that has changed will be passed to crack. As crack uses the information in the gecos field to do more testing, I also try to pack as much as individual information in that field. Since I have enforced the use of strong password (oppposed to advise them to use strong passwords) I cannot remember it gave me any positive result. It's all but a hack, but it has been running for years. Best regards, Olivier --