PaulDotCom mailing list archives

Tools for password analysis

From: rgula at tenablesecurity.com (Ron Gula)
Date: Sat, 28 Nov 2009 18:43:53 -0500

Francois Lachance wrote:

I am currently doing a password audit for my employer. I am somewhat
shocked at the success rate Opthcrack liveCD returns with the free
small rainbow table in an AD network that has the complex password GPO
setting turned on - 96% after 5:50hrs

Now that I have all those juicy passwords, I would like to do some
kind of analysis to make recommendations to management. My first
recommendation will probably be to increase the minimum password
length.

I have two questions for the list:
1.  What tools can I use to do that analysis?
2. Is there a way to force better complex password rules than what
Microsoft provides in Windows 2003?


If you are using the Nessus ProfessionalFeed, it includes many different
polices (CIS, FDCC, .etc) that include password auditing on various
operating systems, and you can write your own too.

I'm not surprised you were able to crack passwords this fast, but a
quick audit of the systems in question would also tell you the age of
the passwords, how often they are changed, and so on.

-- 
Ron Gula, CEO
Tenable Network Security

Current thread:

Tools for password analysis Francois Lachance (Nov 27)
- Tools for password analysis Jim Halfpenny (Nov 28)
- Tools for password analysis Ron Gula (Nov 28)
- Tools for password analysis Timothy Legge (Nov 29)
- <Possible follow-ups>
- Tools for password analysis Christopher Rimondi (Nov 28)
- Tools for password analysis helliott at knology.net (Dec 01)