Password Cracking Service on Domain Controllers

From: Jeff Bollinger (jeff01@email.unc.edu)
Date: Thu Oct 09 2003 - 08:34:41 EDT


Has anyone ever used Avatier's Password Bouncer?

http://www.avatier.com/products/PasswordBouncer/

It seems to be a service you can install on a domain controller that
will actively check user passwords and prevent them from entering weak
ones. It's supposedly much stricter than the built-in password policies
and passfilt.dll.

> # Reject passwords that contain common words using a 300,000-word English wordlist.
> # Reject passwords that contain common names using a 4,000-word proper name wordlist.
> # Reject passwords that contain specific names or phrases using a custom wordlist that includes wildcard support.
> # Enforce the use of upper and lower case characters (mixed case).
> # Enforce the use and position of special characters.
> # Enforce the use and position of numeric characters.
> # Reject passwords that contain palindromes (i.e. radar or bob).
> # Enforce password length, minimum, and maximum.
> # Reject passwords with repeating sequences.

This is more of an administration/preventative tool rather than an
active cracking tool like l0phtcrack, but I'm wondering if anyone knows
how well this tool works, or if there are others like it that can be
installed as a service/daemon? Is it possible to determine remotely if
this service is running?

Thanks,
Jeff

---------------------------------------------------------------------------
Tired of constantly searching the web for the latest exploits?
Tired of using 300 different tools to do one job?
Get CORE IMPACT and get some rest.
www.coresecurity.com/promos/sf_ept2
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT