[unisog] password checker?

Sawyer,John H JSawyer at ifas.ufl.edu
Wed Jun 1 17:39:52 GMT 2005

> feature we'd like to add to this process is a password 
> checker for windows boxes. Basically, we'd like something 
> that checks the passwords for the users, and if it's 
> simple/easy, we'd like to get them to change it.

Microsoft Baseline Security Analyzer does basic checks against
passwords.  This is pulled straight from the "What was scanned" page
under MSBA.  If you want something more in-depth, you will probably be
looking at a commercial product like L0phtCrack.

"Local Account PasswordsCheck Description
This check identifies any blank or simple passwords for each local user
account on the computer. This check is not performed on domain

Microsoft(r) Windows(r) Server 2003, Windows XP, Windows 2000, and
Windows NT(r) operating systems all require user authentication through
passwords. In general, users are permitted to choose their own
passwords. The security of their account depends on the choice of the
password. This check enumerates all user accounts and checks for the
following password conditions:

Password is blank. 
Password is the same as the user account name. 
Password is the same as the computer name. 
Password uses the word "password." 
Password uses the word "admin" or "administrator." 
This check also notifies you of any accounts that have been disabled or
are currently locked out.

For Windows XP computers that use simple file sharing (includes Windows
XP Home Edition and Windows XP Professional computers not joined to a
domain), MBSA will not flag local accounts with blank passwords. To help
protect users who do not password-protect their accounts, Windows XP
Professional accounts without passwords can only be used to log on at
the physical computer console. By default, accounts with blank passwords
can no longer be used to log on to the computer remotely over the
network, or for any other logon activity except at the main physical
console logon screen.


Microsoft Baseline Security Analyzer does not attempt to crack passwords
during this check, and instead attempts a password change request using
each condition in the preceding list. Account lockout policy counts will
be reset if in effect on the scanned computer."



John H. Sawyer - GCIH GCFW 
Systems Security Engineer
UF/IFAS Information Technologies

More information about the unisog mailing list