Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Password Quality checker

from [Hayes, Bill] Network Security [Permanent Link]
Subject: RE: Password Quality checker
Date: Fri, 29 Dec 2006 09:26:09 -0600 
I would advise some caution in enthustically recommending the link
http://www.microsoft.com/athome/security/privacy/password_checker.mspx.
It regards the password strength of the strings 'password' as weak,
'Password'as medium, and 'Password1' as strong. 

Variations of easily guessable passwords are not strong passwords.
Having worked in IT and infosec jobs in Nebraska for 20 nearly years,  I
can't tell you the number of Husker fans who think that 'GoHuskers!' is
a strong password.  Even 'G0Husk3r5!' can be easily guessed.

BTW, I am NOT a sports fan (my wife and I may be the only folks in
Nebraska who aren't) so don't write to commiserate about this year's
team.  :-)

Bill... 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of intel96
Sent: Thursday, December 28, 2006 9:32 AM
To: Johnny Wong
Cc: Saqib Ali; security-basics@securityfocus.com
Subject: Re: Password Quality checker

Here is the link to the code for this password checker that Saqib
mentioned.
http://www.microsoft.com/athome/security/includes/passwdcheck.js
You could use the code as Saqib mentioned internally, but you will have
to modify it based on your requirements:

1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with Windows
GPO)
3) It should also work with Unix/Linux passwords

In Michael Howard book "Writing Secure Code" on pages 270-272, he
discusses password entropy.  This concept is what the JavaScript on
Microsoft's site is doing.

You can also validate user compliance with your company's password
policy after the fact using NetValidatePasswordPolicy.  More information
is available at this link:
http://msdn2.microsoft.com/en-us/library/aa370661.aspx.  NOTE:  I have
not used this to validate password compliance. 


Saqib Ali wrote:

MS has one on their website for public use. It is pretty cool :

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

Your password never gets sent to any server for checking. And if you 
use any other web based utility make sure it is not sending any 
anything to a server on the internet. Otherwise they might be 
collecting your passwords....

I would recommend implementing a in-house as you have have keep on 
updating it....

saqib
http://www.full-disk-encryption.net

On 12/23/06, Johnny Wong <johnnywkm@gmail.com> wrote:

Hello all,

I was wondering if your organization deploys any password quality 
checking tool to help users select policy-compliant passwords? Be it 
web-based or client based. I am thinking what type of requirements do



you use to select such tools, and what are the examples out there?

My thoughts:
1) It should not store the user's passwords (be it pass or fail)
2) It should be able to handle complexity rules (or align with 
Windows GPO)
3) It should also work with Unix/Linux passwords

Thanks,
JW
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Tracking down anonymous user, jbeauford
Next by Date:  Re: Basic question about remote registry on Windows, Ansgar -59cobalt- Wiechers
Previous by Thread:  Re: Password Quality checker, Arun Bhaskar
Next by Thread:  Server setup file encryption, kreno
Indexes:  [Date] [Thread] [Top] [All Lists]