F5F Stay Refreshed Software Operating Systems IT audit examines password details to ensure security and compliance.

IT audit examines password details to ensure security and compliance.

IT audit examines password details to ensure security and compliance.

Pages (2): 1 2 Next
N
NilsBjoern8895
Member
Find
62
07-13-2016, 12:52 AM
#1
Recently, our company’s IT department started checking passwords and marking any with personal details as risky. I understand why my password fails—they’re not using hashing properly, which means plaintext could be exposed. I’m frustrated that they can read passwords directly instead of protecting them. Is Active Directory really storing hashed values? Could a specific algorithm reveal parts of the original string during comparison? Or are they storing plaintext somewhere and pretending it’s secure? 1 = My only guess is that the hash actually contains fragments of the password, but I don’t have proof of this.
Reply
Reply
N
NilsBjoern8895
07-13-2016, 12:52 AM #1

Recently, our company’s IT department started checking passwords and marking any with personal details as risky. I understand why my password fails—they’re not using hashing properly, which means plaintext could be exposed. I’m frustrated that they can read passwords directly instead of protecting them. Is Active Directory really storing hashed values? Could a specific algorithm reveal parts of the original string during comparison? Or are they storing plaintext somewhere and pretending it’s secure? 1 = My only guess is that the hash actually contains fragments of the password, but I don’t have proof of this.

Reply
Reply
A
Aruan_Vargas
Member
Find
233
07-18-2016, 06:20 AM
#2
They probably just tweak password rules and push for a change across all accounts. If they’re known for poor handling, it might be an attempt to exaggerate their security skills. The person I replaced often manipulated staff to meet strict, harsh password policies. I don’t know of any method to view passwords directly in Microsoft AD, but I’m interested to find out.
Reply
Reply
A
Aruan_Vargas
07-18-2016, 06:20 AM #2

They probably just tweak password rules and push for a change across all accounts. If they’re known for poor handling, it might be an attempt to exaggerate their security skills. The person I replaced often manipulated staff to meet strict, harsh password policies. I don’t know of any method to view passwords directly in Microsoft AD, but I’m interested to find out.

Reply
Reply
M
mcrafter5279
Member
Find
128
07-18-2016, 08:07 AM
#3
They don't need to keep passwords in plain text; they can process it whenever you type it for compliance. In a few uncommon situations, the password is checked during creation and details are saved in clear text, such as showing: amount of letters, numbers, no special symbols, etc.
Reply
Reply
M
mcrafter5279
07-18-2016, 08:07 AM #3

They don't need to keep passwords in plain text; they can process it whenever you type it for compliance. In a few uncommon situations, the password is checked during creation and details are saved in clear text, such as showing: amount of letters, numbers, no special symbols, etc.

Reply
Reply
M
ManicFG
Member
Find
72
07-18-2016, 03:48 PM
#4
Auditing passwords is a fresh topic for me. Throughout my six years in IT, I've never seen a manager say something so absurd. If someone hasn't updated their password since the new policy was introduced, it's likely they're trying to uncover it—best to go with what they suggest to avoid any blame later.
Reply
Reply
M
ManicFG
07-18-2016, 03:48 PM #4

Auditing passwords is a fresh topic for me. Throughout my six years in IT, I've never seen a manager say something so absurd. If someone hasn't updated their password since the new policy was introduced, it's likely they're trying to uncover it—best to go with what they suggest to avoid any blame later.

Reply
Reply
I
ItzJustDaan
Junior Member
Find
32
07-25-2016, 01:12 PM
#5
This approach follows the standard method used by most websites. Your browser performs local verification.
Reply
Reply
I
ItzJustDaan
07-25-2016, 01:12 PM #5

This approach follows the standard method used by most websites. Your browser performs local verification.

Reply
Reply
L
ladymorepork
Posting Freak
Find
791
07-25-2016, 10:55 PM
#6
This section has been consistent since last June, but it wasn’t highlighted then. After the fact, it appears they’re viewing it in plaintext. I sent a follow-up email to check if anyone would contact me about it—I’m not sure they’ll respond.
Reply
Reply
L
ladymorepork
07-25-2016, 10:55 PM #6

This section has been consistent since last June, but it wasn’t highlighted then. After the fact, it appears they’re viewing it in plaintext. I sent a follow-up email to check if anyone would contact me about it—I’m not sure they’ll respond.

Reply
Reply
A
AnttoZz
Member
Find
179
07-26-2016, 12:03 AM
#7
Are there any third-party MFA solutions available for accessing your device? Some of these tools might support this, even when integrated with Microsoft AD. It seems like a keylogger could be used to confirm compliance before reaching the central system.
Reply
Reply
A
AnttoZz
07-26-2016, 12:03 AM #7

Are there any third-party MFA solutions available for accessing your device? Some of these tools might support this, even when integrated with Microsoft AD. It seems like a keylogger could be used to confirm compliance before reaching the central system.

Reply
Reply
T
Typogif
Junior Member
Find
31
07-31-2016, 05:20 PM
#8
No activity recorded prior to login. They likely handle third-party access controls, but it doesn’t seem to affect the authentication flow. Seems safe—maybe limit work device usage.
Reply
Reply
T
Typogif
07-31-2016, 05:20 PM #8

No activity recorded prior to login. They likely handle third-party access controls, but it doesn’t seem to affect the authentication flow. Seems safe—maybe limit work device usage.

Reply
Reply
A
a_qtr39
Junior Member
Find
25
08-02-2016, 07:12 AM
#9
Absolutely, you had to enter it since last June. Each time you do, it gets encrypted and sent to the server, where it’s decrypted and verified so you can log in. The server can review it anytime and alert IT if there’s an issue, or it might automatically block you until you fix it. This process is standard and widely used.
Reply
Reply
A
a_qtr39
08-02-2016, 07:12 AM #9

Absolutely, you had to enter it since last June. Each time you do, it gets encrypted and sent to the server, where it’s decrypted and verified so you can log in. The server can review it anytime and alert IT if there’s an issue, or it might automatically block you until you fix it. This process is standard and widely used.

Reply
Reply
K
ketman34
Posting Freak
Find
834
08-02-2016, 01:32 PM
#10
Password checks verify encrypted versions, not original data. It's important to keep passwords unreadable, especially since hashing makes decryption impractical.
Reply
Reply
K
ketman34
08-02-2016, 01:32 PM #10

Password checks verify encrypted versions, not original data. It's important to keep passwords unreadable, especially since hashing makes decryption impractical.

Reply
Reply
Pages (2): 1 2 Next