General discussion


Identifying users with weak passwords

By hrhsoleil ·
I am looking for a product that I can use to identify end users that log into our network (NT4.0 going to Active Directory this summer) using weak passwords. Can anyone help?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jmgarvin In reply to Identifying users with we ...

Why don't you just turn on strong passwords and have all your users reset their passwords?

Collapse -

by SECUREIT In reply to Identifying users with we ...

There's a Password Audit Tool called LC5, you can find it at

Collapse -

by richard.l.bourgeois In reply to Identifying users with we ...

Use the Microsoft Base Security Analyzer (Free). This will find all of your weak passwords and other security holes that you might need to look at. Also I aggree with the first answer of appliing a security policy right now for passwords.

Collapse -

by InXale In reply to Identifying users with we ...

LC5 is very good. Alternatively, social engineering the information is pretty good. Create a template, ask users to fill the template in , with name , department , login and password and mail it back to you..

I believe on Win2k ( Win2003 )you can force users to use complex passwords.

Collapse -

by Joseph Moore In reply to Identifying users with we ...

Other tools to try is something that was done during a security audit my company went through. I made an Admin-level account in my Windows domain and gave it to the security guy.
He then ran PWDUMP3, connecting to a domain controller and extracted the password hashes.
Next, ran the extracted hashes (made a text file) through CAIN, a freeware security tool. One of CAIN's features is the same type of password hash brute forcing that LC5 (and its earlier versions L0phtCrack) did.
After a day or so, it did crack almost all passwords. (at the time I was using a password that had a character from the extended ASCII charcter set, and those characters can't be found by CAIN or LC5!)
But typically, this is the method I have heard of for finding weak passwords when you don't enable the password complexity filter. You just extract the hashes and bang away at them to reveal the passwords.

Collapse -

by gurzick In reply to Identifying users with we ...

Enable password filter. Then you may want to reduce the number of days required to change password, to force everybody to change their password.

Collapse -

by larryeparson In reply to Identifying users with we ...

I like these answers but after doing my own research I found a product I like called pwddoublecheck. I know Symantec now owns LC and I run their virus protections but they are way to pricey with LC; pwddoublecheck gives you some of the same features at a fraction of the price. My suggestion is to turn on strong passwords like
jmgarvin suggested and also run pwddoublecheck as a second layer check. It works well and saves your wallet. I found it at

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums