tag:blogger.com,1999:blog-4482521283458453577.post4754417285439966542..comments2010-03-09T00:07:20.865-08:00kevin thompsonhttps://profiles.google.com/107682921975811187169noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4482521283458453577.post-27969481766160135682010-03-09T00:07:20.826-08:002010-03-09T00:07:20.826-08:00There are easier ways -- FTK Imager lite does not (as yet, anyway) trigger AV, and does not do anything too unpleasant to the system it runs on.<br /><br />I&#39;d like to add that password security should not be about about what passwords individual users set. Leaving last line of defense in the hands of users is just not done.<br /><br />Instead it should be about the authentication situation where those passwords are used. How fast can a password-guessing attack be done? For how long can an attacker do such an attack before he&#39;s discovered? And, of course, how many guesses would it take to find a password under those conditions. Increasing password strength (i.e. how long it takes to guess the password) is not necessarily the most efficient countermeasure.<br /><br />Even a very liberal lockout policy (say, after 20 failed attempts per hour), puts a very effective stop to prolonged password guessing without inconveniencing users or support desk. Add to that logging failed authentication attempts in general, and analyzing the general situation,and even slow-motion attacks can be discovered.<br /><br /> In that kind of situation, passwords only need to withstand a much smaller number of guessing attempts until the attack is discovered and controlled.<br /><br />In other words, the effort is probably better spent improving the full authentication situation that only passwords.<br /><br />In general, that is -- in this case, you may already have those things controlled to the point where passwords are the next step.A. Thulinnoreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-4669225096849906672010-03-08T14:00:19.043-08:002010-03-08T14:00:19.043-08:00@Miha<br />To gather the master list of password hashes I had a system administrator run the fgdump utility on a domain controller. This can be a bit tricky because anti-virus software will alert on the file. So first we have to temporarily disable real time protection, then run fgdump. <br /><br />Also when running fgdump, we had to turn off the feature whereby it tries to disable antivirus (which we&#39;ve already disabled). I believe that is the -a option, but I&#39;m not positive right now.Black Fisthttp://www.blogger.com/profile/10140419541264972382noreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-25298296310033751702010-03-08T02:38:10.332-08:002010-03-08T02:38:10.332-08:00Could you describe in some greater detail how (from where exactly) did you get the original fgdump list?Mihahttp://www.blogger.com/profile/12530391820802328625noreply@blogger.com