Browse Prior Art Database

Automated local password complaince test tool

IP.com Disclosure Number: IPCOM000250600D
Publication Date: 2017-Aug-07
Document File: 3 page(s) / 108K

Publishing Venue

The IP.com Prior Art Database

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

Automated Local Password Compliance Test Tool

Companies need a solution to check the security of the passwords loaded on the company’s servers. A single weak password can compromise multiple servers, sensitive business data, and even expose the entire infrastructure. In terms of cyber security, ensuring that all accounts loaded on a server maintain a minimal level of security is crucial. Having a strong password policy is not enough; a company must enforce and regularly check the passwords on its servers. It is imperative for companies to have a system for checking the passwords in the computing environment.

Many of the current solutions require manual execution and still risk password exposure because the passwords are exposed as plain text.

The novel contribution is a lightweight system that checks password shadow files of the users on the server against lists common password hashes. The system sends the password list as a parameter, allowing administrators to run basic checks (e.g., top 100 password list) or complex password checks with up to 400,000 entry password dictionary.

The system compares a plurality of UNIX*-like password shadow files against a plurality of hashes of known trivial passwords without disclosing the tested passwords in plain text. Instead, the system discretely outputs only the failed user names, avoiding unnecessary risk and protecting both the ID owner and the tester. Results can be parsed against the company directory to check invalid IDs (e.g., related to people that left the company).

The system can check several IDs against several hashes without user intervention.

The method steps follow:

1.    System administrator (SysAdmin) runs the script on the target server

2.    SysAdmin specifies the path of the Unix (or similar) Password Shadow files

3.    SysAdmin loads the dictionary of "trivial/weak" password hashes

4.    SysAdmin selects restricted types of user IDs (to exclude from the test)

5.    System provides a report to the SysAdmin with the list of User IDs with "weak/trivial" passwords

Figure: Architectural Diagram

...