Firewall Wizards mailing list archives
RE: "Proactive" Password Checking
From: Russ <Russ.Cooper () rc on ca>
Date: Fri, 5 Nov 1999 12:15:43 -0500
-----BEGIN PGP SIGNED MESSAGE----- There is a utility in the NT Resource Kit called PASSPROP.EXE which can enable a policy for passwords as follows; "If password complexity is enabled, the password must be mixed-case (including a combination of upper and lower-case letters) or contain numbers or symbols. If it is not enabled, passwords are still case-sensitive, but they are not required to be mixed case or contain numbers or symbols." Alternatively, SP2 (and above) of NT 4.0 introduced a new .dll (and functionality) called passfilt.dll which can enforce a set of parameters which passwords must meet or exceed; <http://support.microsoft.com/support/kb/articles/Q161/9/90.asp> It is possible to write a new .dll with your own requirements. Note that this mechanism uses the "Notification Packages" point in the registry. This point, if supplied with a valid .dll, spits out password changes to the .dll for the .dll to process. This same point could be used to have all password changes spit out in clear text to a dump file if compromised, so use it carefully. It was originally intended as a way of synchronizing passwords with Netware (hence the default .dll entry is FPNWCLNT.dll). Certainly l0phtcrack, as previously suggested, can scan a SAM dump and demonstrate the effectiveness of passwords in use already. It does not, however, give you any facility to prevent users from creating dumb passwords (whereas the other two items mentioned here do). I have not seen a decent replacement for passfilt.dll which allows for customization by the Administrator. As important, IMO, would be its ability to log attempts to create weak passwords so you could do some user education (be able to identify folks who attempt to violate your password creation policy so you can, um, talk to them). If anyone knows of any, please drop me a note (or send it to the list?) Windows 2000 includes this capability as noted in the above referenced MS KB article. Cheers, Russ - NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQCVAwUBOCMRNBBh2Kw/l7p5AQEZPAQA0+rFg9+atEJ5VkuQAaz4PvO3A9Q+Mh+T k+8hTN0ONlCJHTxu0Rzl4DegPNvKBwMOQm+KB/Tn4qCETJm59J5seEldcOB7M3Rz wj/rNixZymWyTJ4DmDKUO6eb0O5U9Hwdi8QDuJXWEICDhAN6p7rBLk2ukeNAvmUZ lJYAxxXLWpI= =uJqi -----END PGP SIGNATURE-----
Current thread:
- "Proactive" Password Checking Jim Raykowski (Nov 04)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 05)
- Re: "Proactive" Password Checking Bill Pennington (Nov 05)
- Re: "Proactive" Password Checking Stefan Wagner (Nov 05)
- Re: "Proactive" Password Checking Rick Smith (Nov 05)
- Re: "Proactive" Password Checking Alec Muffett (Nov 06)
- RE: "Proactive" Password Checking Anton J Aylward (Nov 06)
- RE: "Proactive" Password Checking Kurt Buff (Nov 06)
- Re: "Proactive" Password Checking Frank O'Dwyer (Nov 18)
- <Possible follow-ups>
- RE: "Proactive" Password Checking Moore, James (Nov 06)
- RE: "Proactive" Password Checking Russ (Nov 06)
- Re: "Proactive" Password Checking REID FOX (Nov 06)
- RE: "Proactive" Password Checking Moore, James (Nov 08)
- RE: "Proactive" Password Checking Russ (Nov 09)
- RE: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 10)
- Re: "Proactive" Password Checking Alec Muffett (Nov 10)
- RE: "Proactive" Password Checking daN. (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Eric Budke (Nov 14)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
(Thread continues...)