Full Report
In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I licensed them under the GPL, and I think it’s about time they saw the light of day. There are a couple of tools, which I will explain below. They’re all written in JavaScript, primarily because it is cross-platform, but can be centrally hosted. They all work in Firefox and Internet Explorer, although the automatic copy to clipboard functionality of the service desk tool is IE only.
Analysis Summary
# Tool/Technique: SensePost Password Tools (Strength Checker & Generators)
## Overview
A set of JavaScript-based tools developed by a security manager for a large retailer, intended to be centrally hosted on an intranet to assist non-security personnel (like service desk staff) with standardizing password practices, enforcing complexity, and generating strong passwords based on corporate policies. The tools were released under the GPL license.
## Technical Details
- Type: Tool (Security Utility / Auditing Helper)
- Platform: Cross-platform (Works in Firefox and Internet Explorer)
- Capabilities: Password checking based on entropy and common words, random and configurable password generation (including service account specifications), generation of One-Time-Password (OTP) lists, NATO alphabet transcription for verbal communication, automatic clipboard copy (IE only).
- First Seen: April 30, 2010
## MITRE ATT&CK Mapping
The primary mapping relates to defensive/security operations enablement, but the *usage* of password tools by internal staff might relate to misuse if the generated low-entropy passwords are widely disseminated or if the logging feature is disabled/ignored.
- **Tactic:** Resource Development (Defensive/Security Operations context)
- **Technique:** T1583.001 - Acquire Infrastructure: Domains (While these are tools, not infrastructure acquisition, they are an organizational resource solution.)
- **Tactic:** Credential Access (If weak generation or poor policies are followed)
- **Technique:** T1110 - Brute Force (If the weaker "Service Desk Password Generator" base words are used, knowledge of these bases could aid brute-forcing.)
- **Sub-technique:** T1110.001 - Password Guessing
## Functionality
### Core Capabilities
- **Password Strength Checker:** Checks passwords against length (min 8 chars), complexity (lowercase, uppercase, numbers, special characters), frequency of character sets (English biased), and common words (e.g., "Password1"). Features an optional entropy calculation display.
- **Full Password Generator:** Generates passwords based on predefined complexity profiles ("user," "administrator," "service account").
- **Service Desk Password Generator (Strong):** Generates a very simple, somewhat unique random password for service desk use.
- **Service Desk Password Generator (Weak/Base Word):** Generates passwords by affixing random numbers to a list of weak base words (derived from the top 500 6-digit Unix English dictionary words).
### Advanced Features
- **OTP List Generation:** The Full Generator can create lists of passwords for distributed, regularly rotated One-Time-Password systems.
- **Verbal Communication Aid:** Creates a NATO alphabet version of the generated password for clear verbal recitation (e.g., over the phone).
- **IE-Specific Clipboard Function:** Automatically copies the generated password to the clipboard for direct pasting (IE only).
- **Auditable Hosting:** Designed for central hosting on an intranet, allowing for web log auditing of tool usage, which can highlight anomalies (e.g., 100 resets logged but only 10 tool hits).
## Indicators of Compromise
As these are legitimate, self-hosted security tools, there are no inherent malicious IoCs unless deployed maliciously or if the weak base word list is leaked.
- File Hashes: N/A (Tools delivered via ZIP archive, specific initial hashes unknown/not provided.)
- File Names: `sp-password-tools.zip` (Package name)
- `password-generator.html`
- `password-strength-checker.html`
- Registry Keys: N/A
- Network Indicators: Tools are designed to be centrally hosted on an organization's intranet. No external C2 indicators.
- Behavioral Indicators: Upon use, benign frontend browser activity (JavaScript execution in Firefox/IE) related to input validation and string manipulation.
## Associated Threat Actors
The tool was created by Dominic White while managing security for Deloitte South Africa and later updated by SensePost staff. There is no indication that these tools are used by known malicious threat actors. They are intended for defensive/operational security use.
## Detection Methods
Detection focuses on identifying unauthorized hosting or scripting execution in inappropriate contexts, though standard use is expected within an enterprise browser environment.
- Signature-based detection: N/A (No known malicious signatures apply to these public domain scripts).
- Behavioral detection: Monitoring for consistent, authenticated access to the centrally hosted JavaScript tool files on the internal network. Auditing web server logs for tool invocation patterns.
- YARA rules: N/A
## Mitigation Strategies
Mitigation involves secure deployment, policy enforcement, and minimizing reliance on weak credential generation methods.
- **Prevention:** Only deploy these utilities on secure, internal, access-controlled intranet servers.
- **Hardening:** If the "weak" generator is used, organizations should replace the default weak base word list with a massive, custom, high-entropy list. Disable the weak generator entirely if possible.
- **Policy Enforcement:** Ensure service desk procedures prioritize the use of the strong generator version or mandatory policy-compliant unique passwords, rather than relying on the weak generator.
## Related Tools/Techniques
- **Password Checker Basis:** Tyler Atkins’ entropy and common word checker (rumkin.com).
- **Code Snippet Origins:** Gerd Riesselmann's JavaScript progress bar; CryptoMX tools (password generation code); L. Bower's NATO phonetic translator code.
- **Related MITRE Techniques (Internal Misuse):** T1552.001 (Credentials In Files - If OTP lists are saved insecurely).