[Samba] weak passwords

Marc Muehlfeld mmuehlfeld at samba.org
Tue Oct 6 14:35:20 UTC 2015


Hello Mourik,

Am 06.10.2015 um 14:32 schrieb mourik jan c heupink:
> Is it possible to test our AD for weak passwords?
> ...
> Perhaps some kind of tool to test dictionary passwords etc

The passwords are stored as an encrypted NT hash. You can't decrypt
them. And to lookup the hashes in databases with cleartext strings or
try to brute force, would make you - at least here - directly
unemployed! ;-)

I think the best is, what Rowland has already suggested: Force all users
to set their passwords at the next login. Combined with a password
history, a good minimum length and minimum age, it's the best you can do.

However even if you enable all that, this doesn't prevent users from
choosing stupid passwords: "January2015", "February2015",
"March2015",... They are all valid, because they meet the minimum 3 of
the 5 character categories
(https://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx)
and they won't even get in conflict with the password history policy.



Regards,
Marc



More information about the samba mailing list