[Geeks are Sexy] technology news

Thursday, December 22, 2005

Auditing your users passwords for complexity : convincing management to adopt a strong password policy

There are many ways to create a hard to crack password, but unfortunately, most of these techniques create passwords that are too hard to remember. After a while, people just start using simple, easy to find ones because they are fed up of calling up tech. support to have them reset their password to something else. Big corporations often enforce a password complexity policy, but unfortunately, most SMBs won't care about this and management will consider enforcing such policies as useless and won't do a thing until a disaster arise.

If you are a system or network administrator, you may want to do some password auditing to prove to your bosses that you need to enable a strong password policy in your corporation. If you are not, then you might want to try this out just for the fun of it. Be careful if you do this! You will need to get the proper authorization from management because if you don't, you may end up without a job.

I'll give you a few pointers about how to do this, you'll have to find the rest by yourselves. This means that if you have no ideas about how to proceed, then you shouldn't be trying any of this out.

1- You will need to have some administrative access to your domain or your local box in the case where you only want to test your own system.

2- Download a program that will dumps the password hashes from your domain's SAM database into a text file.
Pwdump2 will let you do this. Be sure to read all the instructions on the download page before using the software.


3- Get an application that will do a brute force / dictionary attack on the password hashes you previously captured. Cain&Abel will do this nicely. Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author or myself be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

4- Find some dictionary text files to add to your attack software.You will need a couple of them. Ex: French, English, first name, lastname, etc.
Here is a very good resource for word lists.

5- Start your auditing software and test your users passwords with a dictionary attack. You will be very surprised by what you find in there. I usually discover around 50% of the passwords in a 150 users environment in under an hour using this technique. You can also try to brute-force the captured SAM database, but this mode can take anywhere from a couple of days to many weeks to decrypt a single password.


When you are finished doing this, print up the results, show them to your boss and pray that management is bright enough to realize the dangers associated with the situation.

A lot of people will just write down their passwords on a piece of paper and stick it under their keyboard or on their screen if they are too hard to remember. I know, I've seen this happen a lot of times in several corporations I worked for in the past.

Here are a couple of resources about how you can help your users choose safer and better passwords.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

Other [Geeks Are Sexy] technology articles


  • Using the first letters of phrases is a good way to get stronger passwords.

    For example take the password 'tqbfjotld', It is actually just the user remembering the phrase 'the quick brown fox..' and typing the first letter from each. Obviously you might not want to use common phrases for the exact reason that this could in theory be dict hacked also..

    Worth a thought

    I remember seeing research once that said that users should make up their own rude phrases as they found positive correlation to greater recall.. funny about that.

    By Anonymous Anonymous, at 11:53 PM  

  • tqbfjotld

    307.5 seconds


    1.8ghz processor

    use a +14 char password so you can't be cracked

    By Blogger Paul, at 5:45 PM  

Post a Comment

<< Home