Most likely just to clean up the audit report, as we had about 600 accounts get flagged. It's written policy that account password must be changed at a certain interval, and doesn't discriminate between enabled/disabled accounts. It does provide added protection if the accounts do become enabled for any reason.
- Sean On Thu, Feb 4, 2016 at 7:35 AM, Orlebeck, Geoffrey < [email protected]> wrote: > Not to be dense, but why would you get dinged on passwords for disabled > accounts? The password is completely irrelevant on a disabled > account—unless it’s enabled/disabled on some sort of rotation, but I can’t > imagine what scenario that would be for shared mailboxes. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Sean Martin > *Sent:* Thursday, February 04, 2016 7:58 AM > *To:* [email protected] > *Subject:* Re: [powershell] Random Password Generator > > > > To clarify, the example from the article generates a 20 character string. > My last modified example generates a 24 character string. > > > > - Sean > > > > On Thu, Feb 4, 2016 at 6:53 AM, Sean Martin <[email protected]> > wrote: > > Perhaps I should explain why this particular method works for my use case. > We got dinged on an internal audit because we have several hundred AD > accounts whose password has not be changed in quite some time. The vast > majority of these are shared mailbox accounts that are disabled. I used > this method in a script to change the password for all of those disabled > accounts every couple of months. > > > > In regards to the article, I think I understand your math, but the example > I provided generates a 20 character string, not 15, so how does that affect > your calculation? > > > > - Sean > > > > On Wed, Feb 3, 2016 at 7:11 PM, Michael B. Smith <[email protected]> > wrote: > > So, I just read the article you mentioned, and I have to tell you, I think > he’s (or she’s) incorrect. > > > > GetBytes() returns random bytes. That’s 0-255 taking up 8 bits. Ln2(8) = > 3. Fifteen characters at 3 bits of entropy each will give you 45 bits of > entropy. But then you convert it to Base64. Base64 is limited to 6 bits of > information ( [System.Math]::Pow(2, 6) = 64 ). That is by definition where > the name of the algorithm comes from! Ln2(6) = 2.58. Significant reduction. > > > > He/she also conflates the fact that while a representation of Base64 is > generally longer (although not always for small amounts of text) the > entropy is controlled by the character set, not the representation. > > > > If I remember correctly, the number of printable ASCII characters is > actually only 96. Ln2(7) ~= 2.81. But the number is effectively less than > that, because 32 of those characters are not used. So Ln2(6.5) ~= 2.70. > > > > So the maximum entropy you can obtain with a 15 character password is > ~40.5 – assuming that the password is completely random and the available > character set allows all 96 characters available. That’s almost 50 years to > brute force. But the password will almost certainly be gibberish. > > > > Note: There are assumptions in this calculation: [1] I’m assuming online > cracking attempts, not on-premises. On-premises cracking attempts can be > much much faster, on the order of 50 million attempts a second; [2] Yes, > Windows will allow you to enter in non-printable characters for passwords – > but very few websites (if any?) will allow this. In fact, most websites > have far more strict password guidelines than “15 maximum characters of > charset-96”. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Wednesday, February 3, 2016 10:36 PM > *To:* [email protected] > *Subject:* RE: [powershell] Random Password Generator > > > > The maximum entropy you get from Base64 is 2.58 bits per character, kinda > by definition( ln2( 6 ) ). Given that your maximum length is 15 digits, > that limits you to ~38 bits of entropy. At a thousand guesses a second, > that’s about 8 years to brute force. Not bad. > > > > However, you’ve GIVEN UP over 10 bits of entropy because of four constant > characters, taking you to about 28 bits of entropy. Believe it or not, > having constants makes a password far far easier to crack. (This is why the > revelation of a non-random non-prime in netcat/socat is such a big deal – > it makes Diffie-Helman much much simpler to crack.) > > > > That’s about 3 days to brute force. > > > > That is completely believable for someone to spend the time/energy to > crack. (And remember, the 3 days assumes that your password is the last one > checked, out of the entire “password universe” – on average, assume half > that.) > > > > So, the lesson here is that 15 bytes of base64 is fine (if impossible to > remember). But don’t use constants. Evah. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Sean Martin > *Sent:* Wednesday, February 3, 2016 3:24 PM > *To:* [email protected] > *Subject:* [powershell] Random Password Generator > > > > I don't get the opportunity to contribute all that often so I thought I > would throw this out there in case it helps anyone. > > > I got the method from this article: > https://www.scriptjunkie.us/2013/09/secure-random-password-generation/ > > > > I modify the resulting password by prepending/appending a couple of > special and numerical characters to ensure it meets complexity requirements > in my current environment. > > > > Easy way to generate a secure password whenever the need arises. Critiques > are always welcome. > > > > =================================================================== > > > > # Generate Random Password > > > $randombytes = new-object byte[] 15 > (new-object > System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($randombytes) > $pass = [System.Convert]::ToBase64String($randombytes) > $password = "&#" + $pass + "82" > > > Write-Host "" > Write-Host "Your password is: " -ForeGroundColor Cyan -NoNewLine > Write-Host "$Password" -ForeGroundColor Yellow > Write-Host "" > Write-Host "" > Write-Host "Press enter to exit script..." -ForeGroundColor Cyan > > > $Pause = Read-Host > > Exit > > > > ================================================================== > > > > - Sean > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > Confidentiality Notice: This is a transmission from Community Hospital of > the Monterey Peninsula. This message and any attached documents may be > confidential and contain information protected by state and federal medical > privacy statutes. They are intended only for the use of the addressee. If > you are not the intended recipient, any disclosure, copying, or > distribution of this information is strictly prohibited. If you received > this transmission in error, please accept our apologies and notify the > sender. Thank you. > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
