Educause Security Discussion mailing list archives
Re: Password strength
From: Dale Lee <dlee () CALBAPTIST EDU>
Date: Thu, 26 Oct 2017 17:17:13 +0000
Walter, The only way that I know to audit password strength is to reverse/crack the password. There are several methods for cracking Active Directory passwords. The DSInternals Powershell Module and Framework<https://github.com/MichaelGrafnetter/DSInternals> offers a Test-PasswordQuality cmdlet which will you to check against a specific pw list, and the output from this method generates a report that may be to your liking. Additional explanation in this post: https://www.dsinternals.com/en/auditing-active-directory-password-quality/ For other non-AD systems, you can any number of brute force tools (John the Ripper, Brute, etc.) to identify accounts with passwords matching your list. Use these tools with caution. - Dale Lee | dlee () calbaptist edu Director of Information Security and Projects | Information Technology Services Live Your Purpose - California Baptist University – web<http://www.calbaptist.edu/> | twitter<http://twitter.com/calbaptist> Biblically Rooted – Globally Minded – Academically Prepared – Equipped to Serve From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mccormick, Kevin Sent: Thursday, October 26, 2017 8:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password strength There is a a list of compromised passwords a you can download, around 320 million of them. The passwords are hashed SHA1. https://haveibeenpwned.com/Passwords Kevin McCormick<https://www.youracclaim.com/badges/3aa51624-4156-498d-bf6f-4a61790d54cf/public_url> Network Administrator University Technology - Western Illinois University KE-McCormick () wiu edu<mailto:KE-McCormick () wiu edu> | (309) 298-1335<tel:3092981335> | Morgan Hall 106b Connect with uTech: Website<http://www.wiu.edu/utech> | Facebook<https://www.facebook.com/uTechWIU> | Twitter<https://twitter.com/WIU_uTech> [Image removed by sender.] On Thu, Oct 26, 2017 at 9:48 AM, WALTER KERNER <walter_kerner () fitnyc edu<mailto:walter_kerner () fitnyc edu>> wrote: Hi all. Is anyone using a tool to check the strength of user passwords, beyond the basic AD characteristics of number of characters, character classes, etc. For example, there are tools that check user passwords against a long list of bad passwords like password1. 1234567, etc. Thanks Walter Kerner AVP and CISO [Image removed by sender. blue] 333 7th Avenue, 13th Floor<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g> New York, NY 10001<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g> Voice: 212-217-3415<tel:(212)%20217-3415>
Current thread:
- Password strength WALTER KERNER (Oct 26)
- Re: Password strength Mccormick, Kevin (Oct 26)
- Re: Password strength Dale Lee (Oct 26)
- Re: Password strength Valdis Kletnieks (Oct 26)
- Re: Password strength Taylor Randle (Oct 26)
- Re: Password strength Dale Lee (Oct 26)
- <Possible follow-ups>
- Re: Password strength Rich Graves (Oct 26)
- Re: Password strength Joseph Tam (Oct 26)
- Re: Password strength Mccormick, Kevin (Oct 26)