| The
purpose of password filters is to stop users from entering weak
(easy-to-guess) passwords when they change their passwords.
Other tools such as password crackers check for bad passwords
after the fact. What too often happens when users are informed
that their passwords have been cracked and that they must change
them, however, is that they temporarily change them to something
better and then go right back to weak passwords that are easy
to remember. Your users need to have good passwords at all times,
not just after the most recent password cracking run.
Password filters come in all “sizes and flavors,”
but most of them have one thing in common—they modify
the program used in changing passwords by comparing each password
to a dictionary of unacceptable passwords. Any user who has
entered an unacceptable password is notified accordingly and
instructed to use a different password. Additionally, all
of them require that someone have superuser privileges to
install them.
There are numerous free password filters for Unix/Linux systems
as well as for Windows systems.
<<
Back to Network & Internet Security
_________________
Password Filters
for Unix/Linux Hosts
anlpasswd
anlpasswd is a password filter developed at Argonne National
Laboratory. It is one of the most popular password filter
tools for Unix and Linux because it has such an extensive
(approximately 107 MB) list of weak (unacceptable) passwords.
Additionally, it includes ypsmarts, a feature that allows
it to filter passwords even in the NIS environment.
Go here
to download this tool.
checkpassword
checkpassword is another password filtering tool. It provides
a straightforward and consistent password-checking interface
to any root application, and can thus be used in connection
with login, smtp, ftp, pop3, and many other programs that
authenticate users. Many checkpassword-compatible tools that
support one-time passwords, secret login names, lengthy passwords,
sub-accounts, different password databases (such as cdb databases),
detailed logging, and other features are also available. There
is also PAM support for checking shadow passwords and dealing
with MD5 passwords.
checkpassword-pam is a checkpassword-compatible authentication
program. Many system administrators prefer checkpassword-pam
because it is more contemporary and administrator-friendly.
Go here
to obtain this tool.
npasswd
npasswd replaces the passwd, chfn and chsh commands in Unix
and Linux hosts. New passwords are rigorously filtered to
make it very unlikely that users will have weak passwords,
i.e., passwords that are highly vulnerable to password cracking
or brute force attacks. npasswd also offers password screening
in connection with a shadow database as well as one-time passwords.
The downsides include having to choose numerous configuration
options and the fact that a certain amount of the policy that
affects whether or not passwords will be accepted is embedded
in the npasswd code, thus precluding making certain kinds
of changes to this tool.
Go here
to download npasswd.
Password Filters
for Windows Hosts
Password Complexity
Password complexity is a set of rules that apply when change
their passwords such that those that do not have at least
three of the four following characteristics—uppercase
English letter, lowercase English letter, number, and special
symbol such as “$” and “%”—are
rejected. The password complexity function is built into Windows
2000, XP and Server 2003 operating systems; the system administrator
needs only to enable the “Password Complexity”
setting in the Password Policy for either the Domain Security
Policy or Local Security Policy. Setting Password complexity
in the Domain Security Policy is preferred, because doing
this will cover a much wider range of passwords than when
it is set in Local Security Policy.
Go here
for guidance in setting password complexity in different versions
of Windows operating systems.
LelandPW.DLL
LelandPW.DLL is a free Windows password filter developed
at Stanford University that enforces a much more stringent
set of restrictions for passwords than does password complexity.
It works on the Windows 2000, XP and Server 2003 operating
systems. LelandPW.DLL has a default dictionary of bad passwords,
but it is also very extensible; you can filter out any additional
password(s) of your choice by simply adding it/them to the
ALLWORDS file. A <cr> must separate each password entry
in this file. Whenever it identifies a user-entered password
listed in the ALLWORDS file, it displays the following message
to the user: "The password does not meet the password
policy requirements."
To filter all passwords within a domain (the better alternative),
install this filter on every domain controller. To filter
all passwords on an individual host, this filter must be installed
on that system.
Go here
to obtain LelandPW.DLL.
Copy LelandPW.dll and ALLWORDS to the \System32 directory
and set permissions on these files so that Everyone and Users/Domain
Users are allowed no more than Read/Execute access. Next,
use a Registry editor to access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
key. Find the Notification Packages value on the right side
of the display. Highlight the Notification Packages value,
and then pull down the Edit Menu to Modify or Edit (depending
on the particular version of Windows operating system). One
entry should appear on each line. Being careful to not delete
any of the other entries, add the value "LelandPW"
(without the quotation marks) below the last entry. Finally,
reboot.
|
