1
I know one way is to enforce rules on the passwords, use at least one uppercase, lowercase, number, special character, and ensure that the password length is at least 8 characters, etc...
Is there an additional way to discover weak passwords, after they have been generated? I heard of "John the ripper". Has anyone successful applied that?
math
Posted 2011-03-02T13:19:54.497
Reputation: 2 376
3
For RedHat, see Securing and Hardening Red Hat Linux Production Systems and especially the section Enforcing Stronger Passwords.
For a more general article, see in Remote Access Hardening and Strong Password Enforcement, the section "Enforcing Strong Password Policy".
This uses pam_cracklib, whose deployment is described in Linux Password Security with pam_cracklib among many other sources.
harrymc
Posted 2011-03-02T13:19:54.497
Reputation: 306 093
3
Passwords are (if the implementation is good) stored as a hash code in your system. Furthermore they should get salted to hide weak passwords (in case someone gets a grip of the database). You can read about salts and password storage here: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
If you read the article you will understand, that done right the password itself will never get stored. What gets stored is the hash code of the password + salt and the salt itself. What you could do to try your system for weak passwords is the same thing that hackers do: using brute force. In your special case you could (if one salt is used for all passwords) use a table with passwords + salt and the generated hash code. This will decrease the computation time rapidly, as you will only have to compare the hash codes (This only is true if you use the database more than once). But again, this is only possible if the implementation is not the best possible solution.
If have not forbidden weak passwords and you want your users to use strong passwords the easiest (only) way to achieve this is by forcing the users at password generation, or checking their password at login as long as the password is still stored clear in memory. Thus you can only easily check for strong passwords for users "using" the computer. If you want to check the passwords of all users your option is brute force.
If you have not done it in the past the solution would be to reset ALL passwords with random generated strong passwords and hand those to your users. At the next login you can force your users to use strong passwords.
John the Ripper is a brute force attack. It has a massive dictionary and stored hash codes and then runs this against your passwords. You could always run that, but should be a waste of CPU time, as you should enforce strong passwords.
Darokthar
Posted 2011-03-02T13:19:54.497
Reputation: 1 361
3
There are tons of online services that generate secure passwords and services that checks current password strength in one click (or even without clicks :)). Personally, I like GetSecurePassword since it combines both features.
tapkin
Posted 2011-03-02T13:19:54.497
Reputation: 172
Thanks, I should have edited the question by now, as I am targeting in password analysis after it has been generated and you have only the hash anymore. Additionally I don't want to check plain text passes used in my system from third party software, as they might store them. – math – 2012-09-18T07:17:42.687
1
John the Ripper is another tool to use for this. It actually attempts to crack your password based off of a lot of different methods. The important thing with JTR is runtime - the longer it takes, the more secure the password is.
The way you use it is detailed here (I've avoided linking to the project's documentatoin - it's very sparse)
cp /etc/shadow shadow
john -user:luser shadow
is the quickest method to get it up and running.
new123456
Posted 2011-03-02T13:19:54.497
Reputation: 3 707
Here is a guide for admins on cracking passwords: http://tools.question-defense.com/Cracking_Passwords_Guide.pdf
– math – 2011-03-07T12:20:43.810