A. Microsoft have a strong password filter that can force users to use passwords that are not easily guessable and more details can be found at 'Q. How do I enable strong password filtering?'.

If you want to test all your users's password's an excellent utility is l0phtcrack that will try and ascertain your passwords.

L0phtcrack allows NT Administrators & Information Security Engineers to quickly evaluate the security of users passwords. L0phtcrack supports traditional dictionary attacks, hybrid dictionary attacks, and fullblown exhaustive keyspace attacks (user definable).

L0phtcrack can gather NT password hashes through a number of ways, including the registry, SAM files, or even by monitoring SMB network activity.

L0phtcrack has recently won the InfoWorld Golden Guardian award and has been recommended by Microsoft.

Lophtcrack can be downloaded from http://www.l0pht.com/l0phtcrack/ and can be used for free for 15 days and is very simple to use once installed.

Once you start the utility you can either load in a Sam file (from the %systemroot%\system32\config directory) but not on your current installation as the files are locked or dump out passwords from the registry by selecting "Dump Passwords from Registry" from the Tools menu and select the computer, e.g. a domain controller or the local machine. If you want to dump from the registry you must be an Administrator on the machine whose registry you are trying to dump.

After importing the information from a source you will have a list of usernames and the hash values of the passwords, selecting 'Run Crack' from the Tools menu will then start the attack on the passwords.

Click here to view image
Notice the easy passwords were found quickly and it is starting to guess the more complex ones, only a matter of time.

The idea of running this is to find people who are using weak passwords and force them to change it, a good start is to use the strong password filtering which will FORCE users to use complex passwords and always make sure to have a minimum password length of 8 characters (set in User Manager - Policies - Account). This helps, but can give a person a false sense of security. For example, if the password requirement is just alphanumeric, a password like "N0ts3cur3" would be guessed rather quickly with a hybrid dictionary attack so you should still audit passwords regularly.

One reader of the FAQ has pointed out 8 characters is not the best number as an 8 character password consists of basically one 7 character passwords and a one letter password (the last character) which will be guessed almost instantly and may give a clue to the first seven characters. Many times, we've guessed the first half of the password based off of the 8th, 9th, and 10th characters. (i.e. ???????werty is either 123456qwerty or qwertyqwerty)

"When users are forced to use special characters, 9 out of 10 times, the user will put the special character at the end of the password. In an 8 character minimum password, the eight character becomes the symbol, and the first seven are letters and num! bers. The seven characters are cracked with L0pht crack in 24 hours or less. Thus, an 8 character password (even with a special character at the end) may either be cracked in 24 hours, or give up enough info to guess the first half (yes - a lot of assumptions here - but this theory has held up over 30,000 times). I'd like us to reset the industry line of thought on NT passwords and suggest that the strongest password policies are those that require seven characters (instead of 6 or 8). Also, the strongest passwords are those that are either 7 or 14 characters exactly, with at least one special character in each half (with very few exceptions - note Paul Ashtons 7 character or less pwd attack). Given that users will write down pwds that are 14 characters in length, 7 becomes the next best choice. I believe Dave Leblanc, InfoWorld, and some folks at Microsoft will agree that exactly 7 characters is a recommended length."