RE: Highlighting weak password dangers

"There is no reason for using brute-force for policy compliance."

Why not? An intruder might. Why on earth would you think you are safe
if you are not willing or able to do the same?


Will Barrett

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Kenton Smith
Sent: Wednesday, January 24, 2007 4:40 PM
To: WALI; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Highlighting weak password dangers

Don't use something that actually tries to login to the account, that's
counter productive. Use something like John the Ripper that uses the SAM
database. Use a dictionary or hybrid attack and fill your custom
dictionary with all the passwords that aren't allowed based on your
password policy. You do have a password policy, right?

Searching for weak passwords should take no time at all. There is no
reason for using brute-force for policy compliance. As soon as you start
brute-forcing you are trying to hack user accounts and I suspect that
would be against your security policy.


----- Original Message ----
From: WALI <hkhasgiwale@xxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Wednesday, January 24, 2007 10:15:46 AM
Subject: Highlighting weak password dangers

I want to highlight the danger of using weak passwords on servers and
users admin desktops. I have tested TSgrinder with a basic dictionary
Brute Force to access Remote Desktop exploit on both servers and
desktops. The problem here is that when connected to domain, the Account
Lockout feature disables the account quite soon. I can only show the
exploit on machines not connected to the domain where Domain Security
policy doesn't flow down.

What are other interesting and intriguing ways to present this problem?
I also need a system to do Passwords Audit on my domain and make then
'secure password' policy compliance.

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around

?This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.?

This email has been scanned by the MessageLabs Email Security System.

For more information please visit

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... a virus in play. ... settings to be applied on your client workstations. ... Group Policy is a complex and often misunderstood beast. ... I modified the account ...
  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
  • Re: GPO causing client security logs to fill?
    ... Unlink the Default Domain Controller Policy (As it was not previously ... settings to be applied on your client workstations. ... I modified the account ... So basically, the Account lockout threshold, account lockout ...
  • Re: GPO causing client security logs to fill?
    ... Possibly delete the Default Domoan Controller Policy (As it did not ... issues as it was about recoverying from a virus which appears to ... with client logon failures. ... I modified the account ...
  • Re: Password expires for no apparent reason
    ... policy that has set the values to what you see below meaning that users ... So I would define the password age and configure a value in there. ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ...