Password Cracking Service on Domain Controllers

[Jeff Bollinger <jeff01 () email unc edu>]

Has anyone ever used Avatier's Password Bouncer?

http://www.avatier.com/products/PasswordBouncer/

It seems to be a service you can install on a domain controller that 
will actively check user passwords and prevent them from entering weak 
ones.  It's supposedly much stricter than the built-in password policies 
and passfilt.dll.

> # Reject passwords that contain common words using a 300,000-word English wordlist.
> # Reject passwords that contain common names using a 4,000-word proper name wordlist.
> # Reject passwords that contain specific names or phrases using a custom wordlist that includes wildcard support.
> # Enforce the use of upper and lower case characters (mixed case).
> # Enforce the use and position of special characters.
> # Enforce the use and position of numeric characters.
> # Reject passwords that contain palindromes (i.e. radar or bob).
> # Enforce password length, minimum, and maximum.
> # Reject passwords with repeating sequences.


This is more of an administration/preventative tool rather than an 
active cracking tool like l0phtcrack, but I'm wondering if anyone knows 
how well this tool works, or if there are others like it that can be 
installed as a service/daemon?  Is it possible to determine remotely if 
this service is running?

Thanks,
Jeff


---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------