Auditing your users passwords for complexity : convincing management to adopt a strong password policy
There are many ways to create a hard to crack password, but unfortunately, most of these techniques create passwords that are too hard to remember. After a while, people just start using simple, easy to find ones because they are fed up of calling up tech. support to have them reset their password to something else. Big corporations often enforce a password complexity policy, but unfortunately, most SMBs won't care about this and management will consider enforcing such policies as useless and won't do a thing until a disaster arise.
If you are a system or network administrator, you may want to do some password auditing to prove to your bosses that you need to enable a strong password policy in your corporation. If you are not, then you might want to try this out just for the fun of it. Be careful if you do this! You will need to get the proper authorization from management because if you don't, you may end up without a job.
I'll give you a few pointers about how to do this, you'll have to find the rest by yourselves. This means that if you have no ideas about how to proceed, then you shouldn't be trying any of this out.
1- You will need to have some administrative access to your domain or your local box in the case where you only want to test your own system.
2- Download a program that will dumps the password hashes from your domain's SAM database into a text file. Pwdump2 will let you do this. Be sure to read all the instructions on the download page before using the software.
4- Find some dictionary text files to add to your attack software.You will need a couple of them. Ex: French, English, first name, lastname, etc. Here is a very good resource for word lists.
5- Start your auditing software and test your users passwords with a dictionary attack. You will be very surprised by what you find in there. I usually discover around 50% of the passwords in a 150 users environment in under an hour using this technique. You can also try to brute-force the captured SAM database, but this mode can take anywhere from a couple of days to many weeks to decrypt a single password.
When you are finished doing this, print up the results, show them to your boss and pray that management is bright enough to realize the dangers associated with the situation.
A lot of people will just write down their passwords on a piece of paper and stick it under their keyboard or on their screen if they are too hard to remember. I know, I've seen this happen a lot of times in several corporations I worked for in the past.
Here are a couple of resources about how you can help your users choose safer and better passwords.
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.
Other [Geeks Are Sexy] technology articles