Francois Lachance wrote: > I am currently doing a password audit for my employer. I am somewhat > shocked at the success rate Opthcrack liveCD returns with the free > small rainbow table in an AD network that has the complex password GPO > setting turned on - 96% after 5:50hrs > > Now that I have all those juicy passwords, I would like to do some > kind of analysis to make recommendations to management. My first > recommendation will probably be to increase the minimum password > length. > > I have two questions for the list: > 1. What tools can I use to do that analysis? > 2. Is there a way to force better complex password rules than what > Microsoft provides in Windows 2003? >
If you are using the Nessus ProfessionalFeed, it includes many different polices (CIS, FDCC, .etc) that include password auditing on various operating systems, and you can write your own too. I'm not surprised you were able to crack passwords this fast, but a quick audit of the systems in question would also tell you the age of the passwords, how often they are changed, and so on. -- Ron Gula, CEO Tenable Network Security _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
