Alexander’s Blog

Microsoft offers a tool called Password Checker. The purpose of the tool is to test the strength of your password as you type. Is Password Checker a reliable tool to test the strength of your password? The answer in my opinion is NO. Microsoft correctly states “It is for personal reference only. Password Checker does not guarantee the security of the password itself. “Microsoft also says about the password that “It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.”

Password Checker tests the strength of your password as you type and rates it as one of the following:

1. Weak
2. Medium
3. Strong
4. Best

I performed several tests and discovered that the tool is programmed to look for certain number of characters and certain combinations. It pretty much ignores the length of the password unless you add special characters or mixed-case to the password. Your pass phrase can be over hundred characters long and Microsoft’s Password Checker considers it a weak password unless you add at least one special character, which the tool considers Medium. You can use a pasword cracking tool and easily prove that Password Checker tool is incorrect in determining the actual strength of your password and therefore should not be used.

In the document Strong passwords: How to create and use them Microsoft acknowledges that “Each character that you add to your password increases the protection that it provides many times over.” Yet, the Password Checker completely ignores this fact. You can keep adding characters by the dozen and the tool will report that your password is weak. In fact, even if you type a 127-character password (the maximum allowed in Windows) in all lowercase the tool will report it as a weak password because you didn’t include an uppercase character, which makes no sense. According to the tool, adding one uppercase character to a 126-character password makes the password’s strength Medium. So the built-in logic in the tool is questionable. There are lots of other tools available that are more reliable to test your password strength.

Microsoft suggests the password should be 14 characters or longer. I suggest you use a pass phrase that is 15 characters or longer, as I explain in this article How Secure Is Your Password?. According to Microsoft security experts that I have talked to, if your password is 15 characters or longer it is not necessary to have a combination of alphanumeric, uppercase, lowercase and special characters in your password. I explain why in my article I just mentioned How Secure Is Your Password?. Of course, if you add any special characters or numbers you only strengthen your password.

Microsoft Standard User Analyzer (SUA) tool enables you to test your applications and to monitor API calls to detect potential compatibility issues due to the User Account Control (UAC) feature in the Windows Vista. The tool is part of the Microsoft Application Compatibility Toolkit. It requires Application Verifier but if Application Verifier is not installed on your computer you will receive a prompt to download it.

For more information on how to use this tool, check out this TechNet article.

You may have seen the computer information displayed on the trainer’s computer during a class or on virtual machine demos at TechNet events. The small utility that allows you to display the information such as, IP address(es), domain/workgroup, CPU, RAM, and logged on user information is called BackInfo.exe. Some other similar utilities also display this information as a screen saver which can be a security risk, especially on servers where you could be displaying the Administrator’s login name, along with the other information.

For some reason Microsoft doesn’t make it easy for you to download this free utility. They have made it a part of Windows Server System Reference Architecture (WSSRA), which is a whopping 97.2MB package. However, you can download it at filewatcher.com here.

The tool works great but you will notice that it reports Windows Vista as Microsoft Windows NT version 6.0 Professional (Build 6000) and Windows Server 2003 as Microsoft Windows NT version 5.2 Advanced Server.

Mozilla Firefox can protect your saved certificates and passwords with a master password. If you want to reset the master password, you can simply provide the current password and reset it to a new one. However, if you forget your master password then you are in trouble and will not have the option to change the existing password.

You can reinstall Firefox over an existing version, or you can even remove Firefox completely and reinstall a fresh copy, you still will not be able to reset the master password. But here’s a method that you can use to reset the master password in Firefox. Type the following command in the address box in your browser and then click the reset button in the lower right corner, as shown in the graphic.

chrome://pippki/content/resetpassword.xul

If you run into a situation where the above method does not work, then you may need to hack the password using a Firefox master password recovery tool, such as FireMaster.

Microsoft has a performance testing tool for Active Directory called ADTest. It is primarily an Active Directory load-generation tool that allows you to simulate client transactions on the host server. According to Microsoft “By varying client load, you can relate the transaction rate to resource utilization on the server and get some idea about the requirements for your environment. Because ADTest can perform generic Active Directory requests, it can also create an organizational unit structure inside Active Directory. You can add many organizational units and user objects in those ADTest-created organizational units. You can also add attributes to the user objects. Once you have created the Active Directory structure you require, you can use ADTest to perform various Active Directory requests, including Modify and Search. Several pre-built tests have been written to reproduce some typical activities you might want to evaluate. Examples of these pre-built tests are: an interactive logon, a batch logon, a search for a random user, and a modification of an attribute of a random user. By varying your hardware environment or other test parameters, you can gain insight into the performance sensitivities of your particular setup.”

Microsoft reminds users that benchmarking and performance exercises only useful for a general understanding of the hardware requirements for various implementations. The tests that you run take place in a limited lab environments so they may not translate directly to real-world scenarios. In other words, use this tool just to get some general ideas and don’t depend on the results too much for a production environment.

You can download the tool here.