[THIN] Re: [SPAM] Re: Check password utility
- From: Euan Cooper <Euan.Cooper@xxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Tue, 18 Jan 2005 14:38:32 +1300
It would be very easy to force everyone to change their password - probably
not very popular but easy none the less.
What exactly are you trying to achieve? Improve security or simply satisfy
some kind of policy that some PHB wants? So many times I see companies
focus on the specifics from some source or other[1] without looking at the
bigger picture. Complex passwords are useless if your staff can't remember
them[2]. Just as simple[3] passwords are fine if you can guarantee that no
unauthorised person can gain access to any part of your system.
Mind you we have similar issues here with the PHBs wanting to "tighten
security"[4] on the computer system - without looking at some of the other
obvious issues that are far more of a risk.
That said - lopt[5] is very good at checking how good users passwords are -
though to be any use you really need to purchase the product so you can run
it every few months to make sure users have not gone back to "bad" passwords
- unless you implement some kind of password filter to ensure passwords meet
specific requirements of complexity.
There are a number of freeware password crackers available - like Cain &
Able from http://www.oxid.it/cain.html [6] or John the Ripper from
http://www.openwall.com/john/ [7]. You may need Pwdump3 from
Http://www.polivec.com/pw3dump/default.htm to dump your password hashes so
you can run either of these apps.
Of course all this will do you no good - except possibly keep a PHB happy if
you have other "issues" that need to be addressed.
-Ec
1 Usually a "best practices" book or whitepaper
2 And so they write them down somewhere close to their workstation
3 or even no password.
4 Of course some of these measures they do not want applied to them.
5 As already recommended by someone else on the list
6 Not as good at cracking as lopt - but does dictionary checks real quick
7 Have not personally used this - but it comes highly recommended!
-----Original Message-----
From: Avien Darbendy [mailto:a.darbendy@xxxxxxxxx]
Sent: Tuesday, 18 January 2005 1:37 a.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: [SPAM] Re: Check password utility
No, we want to know who use simple password through using password audit
utility and then enforce those users to use complex password.
It will be difficult to enforce everybody to change their password.
Thanks,
Avien
-----Oorspronkelijk bericht-----
Van: Dogers [mailto:dogers@xxxxxxxxx]
Verzonden: maandag 17 januari 2005 12:50
Aan: thin@xxxxxxxxxxxxx
Onderwerp: [SPAM] [THIN] Re: Check password utility
On Mon, 17 Jan 2005 10:56:42 +0100, Avien Darbendy
<a.darbendy@xxxxxxxxx> wrote:
> We want to force users to use complex password (character, number,
letters)
> and we want to check who use
> simple password (only words, names, et cetera...) through a utility.
> Have somebody experience with similar utility whom check the password
for
> words or check it with dictionary.
Could you not just be mean, enfoce complex passwords in AD and then
make them all change their password at next logon? :)
Andrew
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Awesome SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Awesome SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Weeks Sponsor SeamlessPlanet.com Domain Names
Register your .com domain name for as low as $7.85
One of the lowest prices on the web! Part of The Kenzig Group.
http://www.seamlessplanet.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Awesome SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
