Use LC3 auditing to back up your password policy
I'm preaching to the converted when I say that one of the best ways to secure your network is through strong user passwords. However, getting users to create strong passwords is easier said than done. Improving the quality of passwords in your organization requires a multipronged approach. You need to publish a written policy that defines what strong passwords are and requires users to select and implement them. You also need to educate users about proven methods for remembering strong passwords (e.g., a pass phrase—usually a sentence from which you use the first letter of each word to construct your password). Then, you need to follow up regularly and verify that users have created high-quality passwords that someone else can't easily guess.
You simply can't get a full password report because Windows XP, Windows 2000, and Windows NT use hash algorithms to protect passwords stored in the SAM or Active Directory (AD). Therefore, you need a password-cracking tool such as @stake's L0phtCrack. The latest incarnation of the famous L0phtCrack tool, LC3, lets you import the password hashes from AD on a Win2K domain controller (DC) or from an NT DC's SAM. (To learn more about password hashing, see "Cracking User Passwords in Windows 2000," http://www.secadministrator.com, InstantDoc ID 9186.) You can then subject those hashed passwords to a variety of cracking techniques to reveal weaknesses. . . .
Register
