Re: Password validation

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I share the concerns that others have expressed. Nobody is suggesting that
you would include logic to record or steal passwords. But can you guarantee
that nobody else with administrator privileges would ever modify the script
to do so at a later date? Or create a copy elsewhere and trick people into
running it?

I believe it is generally bad practice to write any script or program that
requires a user to reveal their password to anything other than directly to
the built-in authentication procedures. Aside from the unscrupulous admin
scenario already mentioned is the mixed message you would be sending your
users. No bank would EVER do this with a client's bank card PIN, as they
expend a lot of effort trying to explain to their customers that this should
NEVER be given to ANYBODY, including to anyone representing the bank.

Once you have softened your users into accepting your benign script as OK,
they will be less critical of real attempts at coercing their passwords. The
net effect will ultimately be more complex passwords that are no longer
secret.

If your company wants compliance, and wants it for the enhanced security
complex passwords can bring, creating a security vulnerability seems an
unlikely way to achieve their desired ends.


/Al

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A8F6BE84-D8B6-47A9-B507-CAB6B0B1917E@xxxxxxxxxxxxxxxx
jmiguy,

Actually it wont be hard at all the get them to do this as part of the
audit. THe aim isnt to use it to steal or record the password as there
wont
be any code in there to do such a things.

"jmiguy@xxxxxxxxxxx" wrote:

On Feb 6, 2:19 pm, Gunna <Gu...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Stace,

Yes that would be a good idea if I was allowed to actually enable that
function. For many reasons, don't ask me which as it would take too
long to
write them all, I am not allowed to enable that. It's more to do with
the
complexity. We do enfore a minimum password length but due to
different
roles policies dicate some staff e.g. Domain Admins must have a longer
more
complex password. I cant use a password cracker to check their
compliance as
this will also revieal the password which defeats the purpose.




Your best bet is to roll out a group policy at the domain level and
set the "Apply this policy" permissions to "deny" for domain admins
and/or any other groups that have stricter password requirements.

Writing a script to perform this type of validation is fairly straight
forward, however, aside from the security issues that will undoubtedly
arise, how do you plan on gettting users to voluntarily perform this
password audit on a regular basis?




.

Relevant Pages