Security Basics mailing list archives
Re: Highlighting weak password dangers
From: Kenton Smith <listsks () yahoo ca>
Date: Wed, 24 Jan 2007 15:40:01 -0800 (PST)
Don't use something that actually tries to login to the account, that's counter productive. Use something like John the Ripper that uses the SAM database. Use a dictionary or hybrid attack and fill your custom dictionary with all the passwords that aren't allowed based on your password policy. You do have a password policy, right? Searching for weak passwords should take no time at all. There is no reason for using brute-force for policy compliance. As soon as you start brute-forcing you are trying to hack user accounts and I suspect that would be against your security policy. Kenton ----- Original Message ---- From: WALI <hkhasgiwale () gmail com> To: security-basics () securityfocus com Sent: Wednesday, January 24, 2007 10:15:46 AM Subject: Highlighting weak password dangers I want to highlight the danger of using weak passwords on servers and users admin desktops. I have tested TSgrinder with a basic dictionary Brute Force to access Remote Desktop exploit on both servers and desktops. The problem here is that when connected to domain, the Account Lockout feature disables the account quite soon. I can only show the exploit on machines not connected to the domain where Domain Security policy doesn't flow down. What are other interesting and intriguing ways to present this problem? I also need a system to do Passwords Audit on my domain and make then 'secure password' policy compliance. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Highlighting weak password dangers Kenton Smith (Jan 25)
- RE: Highlighting weak password dangers Barrett, Will (Jan 29)
- <Possible follow-ups>
- re: Highlighting weak password dangers Kenton Smith (Jan 30)
- Re: RE: Highlighting weak password dangers somebodyishere (Jan 30)