Is it possible to determine password strength without knowing the password?

Question

I have just got some report of a penetration test and one of the recommendations was to strengthen passwords. I however realized that no passwords were provided for the testers, and I wanted to find out if it was possible to determine the strength of a password without actually knowing that password?

They likely mean to imply they broke some account passwords, and that in general, your password policy is considered too lax. — SnakeDoc, Jul 06 '16 at 17:35
I'd say they are probably right in 99% of the organizations, so they might just tell this to everyone, everytime and be pretty confident that they will almost never be questioned about it. — Bakuriu, Jul 06 '16 at 17:59
Honestly, if you asked me "What's the one thing I can do to tighten security?" I would answer, without hesitation, "Strengthen your password policy." It's such a blanket statement they almost can never be wrong. Doesn't matter if were talking domain, application, or garage door opener (that has a pin). It's still a valid answer. — coteyr, Jul 07 '16 at 21:10
@coteyr Some policies (especially strong password policies in combination with short expiry schedules) encourage writing passwords down - there's a balance. — Random832, Jul 07 '16 at 23:31
My first thought is that they saw a password hash that was too short. If you're storing password hashes and they're 16 hex characters long, I'd assume you're using the horribly unrecommended DES to do the hash. Even with salt/pepper that wouldn't be good. Of course my advice would have been more descriptive if that were the case. — Corey Ogburn, Jul 08 '16 at 01:45
Maybe they had physical access to one of the computers or there is a website, where you can request a new user account. Then there probably would be a screen with the password requirements. I know, this might be pretty dumb and straightforward, but often enough dumb works fine. — hamena314, Jul 08 '16 at 07:38
You can time how long your computer takes to "hack" the password. Anything below 100 years is probably too weak. — Aron, Jul 08 '16 at 08:46
@Aron Hopefully you mean *estimate* how long a computer would take to 'hack' the password. Timing it would be a long exercise in futility. :) — Casey Kuball, Jul 08 '16 at 21:28
@Darthfett if it wasn't an exercise in futility, then the encryption algo is weak.. — Aron, Jul 12 '16 at 05:25

score 66 · Answer 1 · edited Jul 06 '16 at 15:45

66

I would figure there are two ways they've come up with the information that they drew that conclusion from.

They ran the net accounts /domain command on a users computer which dumped the password complexity requirements for your organization (assumes Windows / Active Directory)
They successfully brute forced (or guessed) user passwords because they were weak. Recent password dumps like LinkedIn have provided a trove of real-world passwords that pen-testers have been using in the field to try to crack passwords.

Without further information it's hard to say how they've come to that conclusion (we have no idea what the red team did or what was in scope) but those two ways are how I would assume they did it.

edited Jul 06 '16 at 15:45

HashHazard

5,145
1
19
29

answered Jul 06 '16 at 15:40

DKNUCKLES

9,247
2
37
48

Or they could just add it as a bonus. – Braiam Jul 06 '16 at 16:39
14

Or they created an account with a weak password and noticed there's a weak password policy – BlueCacti Jul 08 '16 at 16:06

score 24 · Accepted Answer · answered Jul 06 '16 at 15:41

24

Not really.

What a tester may know:

Password policy: When signing up, or when changing a password, the application may restrict the possible passwords, leading to weak passwords. The password policy may also allow weak passwords, but that would be a separate issue.
Password length: The tester may have gained information about the password length, for example via blind SQL injection, and may not have bothered to gather the password.
The password: The tester may have gained access to the passwords, for example via SQL injection or via bruteforcing the login. But these issues should be listed separately as well.

answered Jul 06 '16 at 15:41

tim

29,122
7
96
120

13

The SQL injection password capture shouldn't be possible unless they're storing passwords in plain text. – Azeezah M Jul 06 '16 at 23:53
1

+1 for password policy, just delete the rest. – Agent_L Jul 07 '16 at 09:50
5

@AzeezahM You'd be surprised and probably horrified at how many companies do exactly that. – Jul 08 '16 at 05:16

score 13 · Answer 3 · answered Jul 06 '16 at 15:44

Yes, it is possible.

Windows networks may be vulnerable to Null Session attacks which allow the attacker to enumerate system details:

...gain anonymous access to IPC$. By default, Windows NT family hosts allow anonymous access to system and network information through NetBIOS, so the following can be gleaned:

User list

Machine list

NetBIOS name list

Share list

Password policy information

Group and member list

Local Security Authority policy information

Trust information between domains and hosts

score 13 · Answer 4 · answered Jul 06 '16 at 18:44

An appropriate, complete and professional Pen test report has to include all the findings in details. It should list not only how they came up with their conclusions, but also which methods they have used, and potentially screenshots of their proofs. If not, you can ask for further details and they are obliged to explain or provide the details.

That said, without further details, I believe what they could do is find the password policy in general, and based on it advise to change it or improve it, if they believe it is weak or incomplete. Even then, they cannot and should not assume that a given user password is weak only because of that policy. Complex or strong passwords might still be created (in some cases) even with a not-so-strong password policy.

Most weaknesses occur when the user chooses a weak password, regardless of the password policy in place.

score 2 · Answer 5 · answered Jul 08 '16 at 02:41

2

Repeat after me: It is not possible to determine password strength even by knowing the password!

Again: It is not possible to determine password strength even by knowing the password!

On the other hand, you can know the password strengths by looking at your password policy documents. If your password policy document does not specify how passwords should be generated, then they are correct that you have weak password policy and therefore weak password strength.

A good password policy specifies at least the minimum entropy requirement for the various secure sections and the password generation method, instead of how passwords should superficially look like.

answered Jul 08 '16 at 02:41

Lie Ryan

31,279
6
69
93

Uh, a knowingly weak password is no good regardless of all other factors, including but not limited to the password policy itself. – Zack Jul 08 '16 at 20:14
If some actual passwords are weak, obviously the password policy allows weak passwords. (Of course we don't know the average password strength.) – Paŭlo Ebermann Jul 08 '16 at 21:04
1

@techraf: the word "even" is under the context that OP thinks that you would need to know the password to know password strength. This is untrue. Knowing the passwords doesn't really give you much information about those password's strength, except in some very trivial cases. The only way to calculate password strength is to look at the generation method, not the result of the password generation. Once you've got specified how to generate passwords, the rest is just a matter of compliance. – Lie Ryan Jul 09 '16 at 02:30
If the passwords aren't salted properly, a rainbow table of weak passwords would allow one to determine strength of an unknown password from the hash :) – Mark K Cowan Jul 10 '16 at 14:25

score 0 · Answer 6 · answered Jul 06 '16 at 16:58

There can be some information about how the passwords are stored. e.g., Sharity Light guide, section 3, recommends setting "LmCompatibilityLevel"=dword:1" for greater compatibility. This does cause passwords to be stored in a less secure way.

In this case, what the user types is not the detected problem. However, what is being referred to is how the credential information is getting stored. By changing such storage details, the result could reasonably be described as a change that did "strengthen passwords".

score -4 · Answer 7 · answered Jul 07 '16 at 17:13

-4

Strength = length + caps/non-caps + numbers + special Characters

answered Jul 07 '16 at 17:13

user116917

1

4

Knowing those requires knowing the password, though. You could check the password policy, but several other answers have mentioned that already. – Ben N Jul 07 '16 at 17:23
More than that, @BenN, you would have to know what each *specific* password had as their length, letters, digits, and characters. This answer *only* tests the strength of the policy, not the actual passwords. – schroeder Jul 07 '16 at 19:08

Is it possible to determine password strength without knowing the password?

7 Answers7