By CK
I receive a call from a user and her manager. The user is being harassed by her soon-to-be ex-husband. They also work in the same area but I don't know how much separation there is between them.
Anyway, he tells me that he is able to get her password - not having it reset but her password itself! She told me that she changed her password in the morning and by the afternoon he has it. She even stated that he is bragging that "it's nice to have friends in the computer department."
There are only two groups that I can think of who may have the ability to decrypt user's passwords - but if am leaning more towards one ... the Security Group!
So it appears that someone, if true, is leaking user's passwords and allowing the harassment of another employee! I keep telling you that I work with a lot of back-stabbing scumbags!
Read 5 Replies | Add a Reply
By BPFH:Actually, CK, a modern operating system shouldn't allow ANYONE, sysadmin or otherwise, to decrypt a password--reset one, yes, but not decrypt it. (That may sound odd, but there are ways to verify that the correct password was used without decrypting the encrypted password.)
What I'd suggest that your friend do is look for keystroke-logging hardware or software on her system. If her soon-to-be-ex really is getting her password, a keystroke logger is a FAR more likely way of doing it than decrypting her password.
By SouthernProgrammer:Things like this irritate me.
#1: Switch the PC out...NOW. I once had a user with a similar problem. I took the PC and found keystroke software installed by another user logging on and that user was dismissed
#2: Someone needs to send out a generic memo to the Security group and other groups involved stating that passing along personal info is grounds for dismissal.
By thelma:What Southern Programmer said. Log on from another PC and change the password. Use a different PC. Have the suspect PC scanned for spyware.
By CK:It is possible to decrypt the password from Active Directory so long as you are a domain admin that has access!
The only other thing that I can think of is a key-logger installed on the PC. The issue with that would be that the person would have to have it installed on several PCs in that area and that the users have roaming profiles.
But regardless of HOW it is done but rather that she is being harassed and someone from my division is assisting in the harassment!
Again, if all that I have been told is true (and that doesn't supprise me) then you know what type of people I have to put up with! They push that envelope to the very edge!
But I am SO very glad that I am not involved in that one - I just had to report the request - period!
By CK:NT does store passwords that can be cracked. It is stored in a file called the SAM file. Anyone who has read permissions on the DC can read that file. All you have to do is snatch a copy of the file in order to crack it. There is also a backup copy for offline use that can be snagged since the real SAM file is locked while the server is online.
In order to crack the SAM file, you first have to extract the NTLM hashes from it. You usually need another program in order to do that. You would then crack the passwords with a program called L0phtcrack (with a zero instead of an O). You have to find a version available off of someones web site since they do not offer it for download anymore. You will need a crack for that by the way. It is not FREE. You can speed up the process with a rainbow table (precompiled text file of all possible computations). The passowrd is passed through the NTLM algorithm and you then have a hash. A rainbow table computes all of the hashes before hand so it is like having a dictionary file for the password cracking program.
John The Ripper can also crack passwords.
Add a Reply
