Posts Tagged ‘password

14
Sep
08

passwd reset plz

Sorry, I need my password reset..

Since the dawn of time, users are getting either dummer or just plain stupid for many occasions. Well I dont need to say why users are becoming more stupids as there are 100s of jokes flying around (or urband legend such as CD-Drive as coffee mug holder,etc)

One of the MOST if not worst stupid request user can make is, yes you guess it, password reset.
However, I dont blame them for some system (such as do not use old password, do not keep password for more than 90 days, do not change password within 3 days, password must contain special characters and numbers and not dictionary words)

All good but strict rule usually end up like people writing down password or put it on their monitor using post-it or other forms.

Well, most, if not, all attack is from remote locations in remote countries. So I wont bother covering physical security requirement nor why user must not write down password on piece of paper.

Topic isnt really password reset and how users are dumb, but how to recover and how to crack/reveal(another recover? form)

I’ve heard of john the ripper even before but never actually cracked one as jtr does not offer crack to AD directly. Means someone has to extract AD password hash. And since my background is more wintel guy than *nix person, I never bother with jtr on *nix.

Probably by now, you know where Im going. Yes, there are several tools that can dump “HASH” password from AD. with right conbination with jtr, it can display the password.

Let me just tell you, I am impressed.

my user password in AD is 12 chars long, 8 chars, and 6 numeric chars. and it was cracked in less than 1 min. <with serious face>oops</with serious face>

well to defend my password level, my admin password (which is lot longer and contains special char) was not cracked even after 30min(and still going as I am typing this)

ok enough CRACKing but how about other method?
(excluding your favourite, call your helpdesk)

program wise, it is rather simple, ask user to jump the hoops(as ask some questions such as “what is your mum’s name) and once validated, reset their password. Lucky me(again) Citrix has tool called password manager self recovery tool (now I do sounds like sales man)

Took me a bloddy few hrs to figure out the implementation (as WI4.0 does not support recovery out of the box) and due to permission changes on AD hierachy (inherit was turned off) initial implementation didnt work. Party me to blame too but document was just not very friendly at all.. Who Am I kidding its my fault that I didnt read the papers but seriously that doc wasnt not designed for troubleshooting…

Now what I get from users?

How do i use password self recovery tool?

This is why i say users are getting dummber and dummer…

Advertisements



November 2017
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
27282930  

Greyeye Tweets