[Samba] weak passwords
Marc Muehlfeld
mmuehlfeld at samba.org
Tue Oct 6 14:35:20 UTC 2015
Hello Mourik,
Am 06.10.2015 um 14:32 schrieb mourik jan c heupink:
> Is it possible to test our AD for weak passwords?
> ...
> Perhaps some kind of tool to test dictionary passwords etc
The passwords are stored as an encrypted NT hash. You can't decrypt
them. And to lookup the hashes in databases with cleartext strings or
try to brute force, would make you - at least here - directly
unemployed! ;-)
I think the best is, what Rowland has already suggested: Force all users
to set their passwords at the next login. Combined with a password
history, a good minimum length and minimum age, it's the best you can do.
However even if you enable all that, this doesn't prevent users from
choosing stupid passwords: "January2015", "February2015",
"March2015",... They are all valid, because they meet the minimum 3 of
the 5 character categories
(https://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx)
and they won't even get in conflict with the password history policy.
Regards,
Marc
More information about the samba
mailing list