RE: "Proactive" Password Checking

[Russ <Russ.Cooper () rc on ca>]

One more note about passfilt.dll (with the caveat that I am not a programmer
and could not code what I propose).

Passfilt.dll is an application, and as such, can do anything an off-line
cracker can do. So in addition to supplying it with guidance rules as to
what should be in a "decent" password, there's absolutely no reason why
passfilt.dll could not take the proposed password (which it receives in
plaintext) and pass it through as many dictionaries one might deem
appropriate. If there's a match, or partial match, the password can be
rejected on that basis in addition to, or instead of, the guidance rules.

Taking a plaintext and looking it up for "like" matches in on-line
dictionaries of whatever size appropriate should make it reasonably
impervious to crack attacks. Of course all of this assumes you are not using
LanMan hashes in your network, otherwise, all of this is pretty much a waste
of effort.

Its really a shame that none of the NT coders from ISS or RSA are on this
list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up
with a decent passfilt replacement as open source.

Cheers,
Russ - NTBugtraq Editor