Re: Password strength

[Taylor Randle <TRandle () PARKER EDU>]

+1 for HaveIBeenPwned. They also have an API that you can use to compare passwords to their lists when users are 
resetting/creating their passwords for example. 
https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

Thycotic has a free tool that will check your AD accounts against a (relatively small) list of weak passwords and 
create a nice report that you can use as well as a more actionable spreadsheet. It doesn’t expose the passwords 
themselves, just compares the hashes in AD to the hashes in the dictionary. It then classifies the accounts 
(administrative, etc.) and indicates the accounts with weak passwords, LM hashes, reversible encryption, passwords set 
to never expire, etc. I’ve used the default password list and added some University-specific passwords but I see no 
reason why you couldn’t replace the default with a better one if you had it – although it would likely increase the run 
time by a good bit

More Info: https://thycotic.force.com/support/s/weak-password-finder
User Guide: https://updates.thycotic.net/freetools/WeakPasswordFinder_UserGuide.pdf
Download: https://thycotic.com/solutions/free-it-tools/weak-password-finder/


Thycotic also has some other free tools that I have found useful – including the Browser-stored Password Discovery 
tool. Again, it doesn’t expose passwords, just indicates the machines with browser-stored passwords and the 
accounts/websites they’re associated with. Potentially useful for determining who needs a bit more security awareness 
training.

https://thycotic.com/solutions/free-it-tools/

We’ve also been using Thycotic’s Secret Server for some time with great results (we’ve upgraded from the Free version 
to Professional but the free version is plenty robust). I’ve recently been able to get buy in to require all domain 
admin and system admin-level accounts be stored in Secret Server – which uses 2FA, rotates the passwords regularly, has 
launchers for RDP, SSH, etc. so passwords no longer have to be remembered, and provides an audit trail for the use of 
these accounts.

</Thycotic plug>

Feel free to reach out if anyone has any questions.

Thanks!
Taylor


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dale Lee
Sent: Thursday, October 26, 2017 12:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password strength

Walter,

The only way that I know to audit password strength is to reverse/crack the password.

There are several methods for cracking Active Directory passwords. The DSInternals Powershell Module and 
Framework<https://github.com/MichaelGrafnetter/DSInternals> offers a Test-PasswordQuality cmdlet which will you to 
check against a specific pw list, and the output from this method generates a report that may be to your liking. 
Additional explanation in this post: 
https://www.dsinternals.com/en/auditing-active-directory-password-quality/<https://www.dsinternals.com/en/auditing-active-directory-password-quality/>

For other non-AD systems, you can any number of brute force tools (John the Ripper, Brute, etc.) to identify accounts 
with passwords matching your list. Use these tools with caution.

-
Dale Lee | dlee () calbaptist edu
Director of Information Security and Projects | Information Technology Services
Live Your Purpose - California Baptist University – web<http://www.calbaptist.edu/> | 
twitter<http://twitter.com/calbaptist>
Biblically Rooted – Globally Minded – Academically Prepared – Equipped to Serve

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mccormick, Kevin
Sent: Thursday, October 26, 2017 8:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Password strength

There is a a list of compromised passwords a you can download, around 320 million of them.

The passwords are hashed SHA1.

https://haveibeenpwned.com/Passwords<https://haveibeenpwned.com/Passwords>

Kevin McCormick<https://www.youracclaim.com/badges/3aa51624-4156-498d-bf6f-4a61790d54cf/public_url>
Network Administrator
University Technology - Western Illinois University
KE-McCormick () wiu edu<mailto:KE-McCormick () wiu edu> | (309) 298-1335<tel:3092981335> | Morgan Hall 106b
Connect with uTech: Website<http://www.wiu.edu/utech> | Facebook<https://www.facebook.com/uTechWIU> | 
Twitter<https://twitter.com/WIU_uTech>
[Image removed by sender.]

On Thu, Oct 26, 2017 at 9:48 AM, WALTER KERNER <walter_kerner () fitnyc edu<mailto:walter_kerner () fitnyc edu>> wrote:
Hi all.  Is anyone using a tool to check the strength of user passwords, beyond the basic AD characteristics of number 
of characters, character classes, etc.  For example, there are tools that check user passwords against a long list of 
bad passwords like password1. 1234567, etc.  Thanks
Walter Kerner
AVP and CISO
[Image removed by sender. blue]
333 7th Avenue, 13th 
Floor<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g>
New York, NY 10001<https://maps.google.com/?q=333+7th+Avenue,+13th+Floor+New+York,+NY+10001&entry=gmail&source=g>
Voice: 212-217-3415<tel:(212)%20217-3415>