Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Xenophane

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 20
Reply with quote  #1 
A little while back I was finally allowed to release a script, that I had lying around for a while, the script, allows you to do an audit of your password usage in AD (It will not crack password, even though it supports that you supply a list of "known" password)

But it will report on any accounts that have the "same" password (You have admins with multiple accounts, that use the same password for each account?)

It will detect if people reset their passwords to a previous used password.

I was just wondering if anyone of you had given it a spin, or would be willing to ?

You can read more about it here http://www.xipher.dk/WordPress/?p=846

PS sorry about the video, first attempt and other excuses  [smile]

__________________
Claus T Nielsen
Microsoft Cloud and Datacenter MVP 
Founder of the Danish PowerShell UserGroup http://psug.dk
 
<SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
0
donoli

Senior Member
Registered:
Posts: 546
Reply with quote  #2 
That sounds more vulnerable than never changing the password in the first place. If someone gets hold of that script with all the previous passwords, it would show the users' train of thought. Another script could be written to guess the next password.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 215
Reply with quote  #3 
>  If someone gets hold of that script with all the previous passwords, it would show the users' train of thought.

Not a problem. The script needs Domain Admin or equivalent to run so they can already do whatever they want.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Xenophane

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 20
Reply with quote  #4 

Hi donoli

Yes you have to protect the list if you decide to make on... I have just come across multiple companies, where they hand out a password with x digits in the end <Password01>, as a "default" password, when people join the company.. A password of course they are forced to change at first logon... But when you then test for <Password02><Password03> and you know that people have to change their password every x days, then you can quite easily calculate how long people have been employed... Since everyone has gotten the same initial password, everyone knows it, and it is easy for other people to "guess" as well... Some people I checked with HR for how long they had been employed, and it took me only 2-3 guesses, to get their password.


__________________
Claus T Nielsen
Microsoft Cloud and Datacenter MVP 
Founder of the Danish PowerShell UserGroup http://psug.dk
 
<SIG> George Bernard Shaw : The power of accurate observation is commonly called cynicism by those who have not got it. </SIG>
0
donoli

Senior Member
Registered:
Posts: 546
Reply with quote  #5 
Quote:
Some people I checked with HR for how long they had been employed, and it took me only 2-3 guesses, to get their password.


That's exactly what I'm saying. The users' train of thought becomes an asset when it comes to guessing passwords. I don't agree with forcing a monthly or quarterly password change.  IMO, an old password isn't old based on time.  An old password isn't an old password until a new password is created.  Then it becomes old.

I had a girl friend who was annoyed with the company's password policy.  She would use 1234567.  When it was time to change, she would try 2345678 as long as the software didn't reject it.  Those policies promote bad passwords.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.