Educause Security Discussion mailing list archives
Re: Password strength
From: Taylor Randle <TRandle () PARKER EDU>
Date: Thu, 26 Oct 2017 18:21:57 +0000
+1 for HaveIBeenPwned. They also have an API that you can use to compare passwords to their lists when users are resetting/creating their passwords for example. https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/ Thycotic has a free tool that will check your AD accounts against a (relatively small) list of weak passwords and create a nice report that you can use as well as a more actionable spreadsheet. It doesn’t expose the passwords themselves, just compares the hashes in AD to the hashes in the dictionary. It then classifies the accounts (administrative, etc.) and indicates the accounts with weak passwords, LM hashes, reversible encryption, passwords set to never expire, etc. I’ve used the default password list and added some University-specific passwords but I see no reason why you couldn’t replace the default with a better one if you had it – although it would likely increase the run time by a good bit More Info: https://thycotic.force.com/support/s/weak-password-finder User Guide: https://updates.thycotic.net/freetools/WeakPasswordFinder_UserGuide.pdf Download: https://thycotic.com/solutions/free-it-tools/weak-password-finder/ Thycotic also has some other free tools that I have found useful – including the Browser-stored Password Discovery tool. Again, it doesn’t expose passwords, just indicates the machines with browser-stored passwords and the accounts/websites they’re associated with. Potentially useful for determining who needs a bit more security awareness training. https://thycotic.com/solutions/free-it-tools/ We’ve also been using Thycotic’s Secret Server for some time with great results (we’ve upgraded from the Free version to Professional but the free version is plenty robust). I’ve recently been able to get buy in to require all domain admin and system admin-level accounts be stored in Secret Server – which uses 2FA, rotates the passwords regularly, has launchers for RDP, SSH, etc. so passwords no longer have to be remembered, and provides an audit trail for the use of these accounts. </Thycotic plug> Feel free to reach out if anyone has any questions. Thanks! Taylor From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dale Lee Sent: Thursday, October 26, 2017 12:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password strength Walter, The only way that I know to audit password strength is to reverse/crack the password. There are several methods for cracking Active Directory passwords. The DSInternals Powershell Module and Framework<https://github.com/MichaelGrafnetter/DSInternals> offers a Test-PasswordQuality cmdlet which will you to check against a specific pw list, and the output from this method generates a report that may be to your liking. Additional explanation in this post: https://www.dsinternals.com/en/auditing-active-directory-password-quality/<https://www.dsinternals.com/en/auditing-active-directory-password-quality/> For other non-AD systems, you can any number of brute force tools (John the Ripper, Brute, etc.) to identify accounts with passwords matching your list. Use these tools with caution. - Dale Lee | dlee () calbaptist edu Director of Information Security and Projects | Information Technology Services Live Your Purpose - California Baptist University – web<http://www.calbaptist.edu/> | twitter<http://twitter.com/calbaptist> Biblically Rooted – Globally Minded – Academically Prepared – Equipped to Serve From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mccormick, Kevin Sent: Thursday, October 26, 2017 8:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Password strength There is a a list of compromised passwords a you can download, around 320 million of them. The passwords are hashed SHA1. https://haveibeenpwned.com/Passwords<https://haveibeenpwned.com/Passwords> Kevin McCormick<https://www.youracclaim.com/badges/3aa51624-4156-498d-bf6f-4a61790d54cf/public_url> Network Administrator University Technology - Western Illinois University KE-McCormick () wiu edu<mailto:KE-McCormick () wiu edu> | (309) 298-1335<tel:3092981335> | Morgan Hall 106b Connect with uTech: Website<http://www.wiu.edu/utech> | Facebook<https://www.facebook.com/uTechWIU> | Twitter<https://twitter.com/WIU_uTech> [Image removed by sender.] On Thu, Oct 26, 2017 at 9:48 AM, WALTER KERNER <walter_kerner () fitnyc edu<mailto:walter_kerner () fitnyc edu>> wrote: Hi all. Is anyone using a tool to check the strength of user passwords, beyond the basic AD characteristics of number of characters, character classes, etc. For example, there are tools that check user passwords against a long list of bad passwords like password1. 1234567, etc. Thanks Walter Kerner AVP and CISO [Image removed by sender. blue] 333 7th Avenue, 13th Floor<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g> New York, NY 10001<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g> Voice: 212-217-3415<tel:(212)%20217-3415>
Current thread:
- Password strength WALTER KERNER (Oct 26)
- Re: Password strength Mccormick, Kevin (Oct 26)
- Re: Password strength Dale Lee (Oct 26)
- Re: Password strength Valdis Kletnieks (Oct 26)
- Re: Password strength Taylor Randle (Oct 26)
- Re: Password strength Dale Lee (Oct 26)
- <Possible follow-ups>
- Re: Password strength Rich Graves (Oct 26)
- Re: Password strength Joseph Tam (Oct 26)
- Re: Password strength Mccormick, Kevin (Oct 26)