SEC: UNCLASSIFIED --- Some Passwords on 2K Member Servers not wor king???
From: Vidler, Christopher MR (Christopher.Vidler_at_DEFENCE.GOV.AU)
Date: Wed, 15 Oct 2003 10:39:38 +1000 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Greeting all, I run an intranet server with restricted access (it holds our
network diagrams), I have it set to use NT authentication, and create local
accounts on the web server itself (2K Server SP3). The sever is a member of
a NT4 domain, not that this should matter. Anyway back on track...
When a new user is granted access I create them a local user account on the
web server, add them to the appropriate groups, and generate a random
password to start them off with (I've written an ASP/WMI tool to allow
password changes via web pages). now I've come across this several times,
but didn't think of it til today when I had an extra hard time with it.
Sometimes the random passwords I generate (a small VB program I wrote, that
also gives a phonetic alphabet output so 1's and I's or O's and 0's don't
get messed) and paste into the password box do not work!!! Now since I'm
cutting and pasting I'm sure there is no human error involved, but some
passwords, not all, just won't let the users logon (I've tried and
duplicated this effect with the example I'll give below), change the
password to something else and bingo, the logon works. change the password
back to the 'broken' password, and logons fail.
I generate 8 character random passwords made up of upper and lower case
letters and numbers, no punctuation of extended/Unicode characters, just
stuff that can be easily typed on the keyboard.
Now for the vast majority of times this has worked flawlessly (the server
now has in excess of 300 local accounts on it), Only 3 times in the past
has it failed, and today it failed twice for the same account. i.e.. I
created it with a 'bad' password, was informed by the user it wasn't
working, and generated a new password which was also 'bad', but luckily
third time worked.
Today this is the bad password in question (only the 8 char password on the
first line, not the phonetic spelling, is used):
november GOLF JULIET SIX THREE YANKEE EIGHT golf
I wasn't thinking in advance and didn't document the second bad password for
this particular account, but the third (working) password is below. The
user has now successfully logged on and changed his password.
HOTEL uniform papa alpha ONE ZULU KILO THREE
(note that now neither of these passwords are in use)
If someone else can try creating an account (unsure if it has to be a local
account, or if it affects domain accounts too) with the first password
above, and see if it works, let me know either way, as I want to know if it
is just me/my server or something to do with the formation of the passwords.
Maybe windows password hashing breaks down with certain inputs?!?
I'll (from now) be keeping a record of passwords that don't work, and will
endeavour to update this list with any findings.
Mr. Chris Vidler
Senior Network Performance Analyst
Department of Defence
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----