Re: question regarding SAM file / l0phtcrack / pwdump2

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 12/19/01 

From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Evan Mann" <emann@questinc.org>, <focus-ms@securityfocus.com>
Date: Wed, 19 Dec 2001 13:46:55 -0500

In a perfect world, you would require passwords of 128 characters and smart
card/biometrics/some other form of EAP logon. :-)

In the real world, you require strong passwords (whether you use the default
passfilt.dll that is used when you enable complex passwords or whether you
write your own custom .dll), disallow re-use of passwords, require more
frequent password changes, restrict physical access to DCs, use group policy
to control membership of local groups on workstations and member servers,
require frequent password changes, disable null connections (if possible),
empty the membership of the Pre-Windows 2000 Compatible Access group (if
possible), and implement all of the other things you would use to help
secure your network. The most important part of securing your network,
however, is to educate your users. It is far easier for somebody to gain
access to your network via social engineering than by using any of the
technological mechanisms that are available.

Laura
----- Original Message -----
From: "Evan Mann" <emann@questinc.org>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, December 18, 2001 4:51 PM
Subject: RE: question regarding SAM file / l0phtcrack / pwdump2

> I went ahead and got PWDUMP and l0phtcrack and ran it on my SAM. After
> dumping my entire SAM, which took all of 2 seconds, I ran through
l0phtcrack
> v3.0. In UNDER 5 seconds, a good 75% of my users passwords were cracked.
> Increase time to 1 1/2 min and 95%. I'm up to 12 mins run time now and
> there's very very few users it hasn't discovered..
>
> So now that I see for my own eyes what a joke it would be to get into my
> network with a simple SAM dump, what advise do you offer for fixing these
> problems?
>
> Yes, 95% of the users passwords are < 8 characters, and many of them
either
> all numbers or all words. So I see one easy way is to make a minimun
length
> of 8-10 char with combo of letters/#'s.
>
> What else?

Relevant Pages

  • Re: [fw-wiz] Stanford break in
    ... Are network synchronized passwords a bad idea, ... > physical and logical security of accounts (ie: ... > Authenticate with the server, but only allow access to one workstation. ...
    (Firewall-Wizards)
  • RE: should i bother??
    ... > (network address translation from a public IP to a private network is always advised here) ... certain outgoing ports on the firewall at work. ... I run root kit hunter as a daily cron job. ... > Strong passwords of random letters, with at least two numbers and two special characters for all accounts, definately root. ...
    (Fedora)
  • Re: FW: Hydra or network logon cracker for Windows?
    ... Couldn't you just Nmap your whole Network and dump the IP's of the Windows ... passwords such as the company name and so forth. ... > Original> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • Re: FW: Hydra or network logon cracker for Windows?
    ... have to suffer through LIXUX/UNIX/APPLE machines on the network. ... passwords such as the company name and so forth. ... Original> against a small list of passwords like Tomcat, Tomcat1, TomCat, ... Original> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • FW: Hydra or network logon cracker for Windows?
    ... login as Administrator is most definitely a "battle worth fighting". ... Given that, if I were to test for your list of passwords on my network, I ... Original> against a small list of passwords like Tomcat, Tomcat1, TomCat, ...
    (Security-Basics)