possible or impossible to check domain password length in Powershell

This topic contains 4 replies, has 3 voices, and was last updated by  brian catlin 3 months, 3 weeks ago.

  • Author
    Posts
  • #97487

    brian catlin
    Participant

    I know its pretty much impossible to find out users passwords in the domain as that would be a security violation which makes sense.

    However is it possible to write some lines of PowerShell that would check all the passwords length? meaning being able to audit to make sure there is at least 15 charters in the password?

    I have seen some third party plugins but didn't know if it could be done easily using native PowerShell.

  • #97500

    Fredrik Kacsmarck
    Participant

    I highly doubt any tool exist that will give you that information, at least not consistantly.
    Other than password cracking tools that will actually crack the passwords of course.
    The whole point of passwords and encryption is to scramble the password and not give information that would help an attacker.

    If you're using old stuff like LM Hash then you may get some information, depending on the hash values.
    LM Hash is really weak, so if you're using that you have bigger problems than password lengths.
    It's pre NT4 SP4 stuff.

    If you want to make sure that all users have 15 or more characters in their password, you could set the domain password policy to 15 characters and then you would force a password reset.
    E.g. setting the password expiry to a suitable short time frame and then reset it to what it was set later on, once everyone has changed their password.
    Depending on the size of the company this may need to be done in a more staggered fashion and comms going out etc.

    The only other option would be to start cracking passwords and that is a whole other can of worms.
    If going this route, start looking at courses for Ethical Hacking so that you know what you're getting yourself into.
    E.g. get permission in writing etc.

    • #97535

      brian catlin
      Participant

      Ok great that is what I thought.

      I also told them exactly what you said and that we should come at this from another angle and it made more since to change GPO and then have passwords expire and a short period where you could get everything merged over.

  • #97527

    Richard Siddaway
    Moderator

    All you do is get the MINIMUM requirements from the domain policy. No way I know to get password length on an individual user bases

    • #97539

      brian catlin
      Participant

      I found articles on how to "require users" to use at least 15 characters when they change their password once their current expired. I just was wanting to confirm Powershell was unable to audit that. I never say never on anything because the impossible is often possible, but you get my point in the normal realm of possibility this is not something that is realistic.

      Thanks for assisting!

You must be logged in to reply to this topic.