Update: It appears the tool is no longer available. But you can still download it here.

In my last post, I gave some advice on how to manage the built-in administrator account on desktops in a corporate network. Today, I will introduce a great tool, passgen, that was originally published in Steve Riley and Jesper Johansson’s book Protect Your Windows Network. Passgen has been available as a free download for some time now, and I think it can be of great help to secure the desktops in your network.

As I outlined in my previous post, using unique passwords for local administrators on all machines greatly improves security. Passgen is a command line tool that allows you to do just that remotely. All you need is a text file that contains a list of all computers in your network. Another option is to run the tool in a startup script.

The main idea of the tool is to create a unique password by using an identifier and a pass phrase. The identifier is just the computer name, which you can import from a text file. This part will always be the same whenever it is time to set a new password on all your machines. The pass phrase is the variable part, which you can change the next time you reset the password.

This command will generate a password and display it on the screen:

passgen –g <identifier> <pass phrase> -c <account name>

To change the password for an account, you would run this command:

passgen –g <identifier> <pass phrase> -c <account name> -m <machine name> -h

The <machine name> and the <identifier> will be the same in most cases. The optional parameter -h prevents the password from being printed on the screen.

This command imports the computer names from machines.txt and changes the password of the Administrator account on all these computers:

for /f %m in (machines.txt) do passgen -g %m myverysecretpassphrase -c Administrator -m %m –h

Please choose a better pass phrase than mine. Whenever you have to logon with a local admin account (preferably not the built-in Administrator account), then you have to use passgen with the machine’s name and the pass phrase to generate the password. The advantage of this method is that you don’t have to store the passwords. However, this might not be practicable in some environments.

Another option is to work with random passwords. For this you can use passgen’s parameter -r. This is the recommended method if you don’t intend to use this password, anyway (for example, if you just want to set a unique password for the built- in Administrator account):

for /f %m in (machines.txt) do passgen -r -c Administrator -m %m -h

However, if you really want to be able to logon using the Administrator account (or preferably another account with local admin rights), then you have to store the passwords in a text file:

for /f %m in (machines.txt) do passgen -r -c Administrator -m %m >> passwords.txt

passwords.txt will contain the list of all machines with their passwords. It is okay to save all passwords in a file if you encrypt it and keep it in a safe place. I recommend storing the file on a memory stick using TrueCrypt. Don’t store the file on a PC with network access! If you want more security, you can encrypt the file with LockNote in addition to TrueCrypt. However, you should then use two different pass phrases for TrueCrypt and LockNote. I also recommend reading my article about encrypting a memory stick.

passgen supports a few other useful parameters:

-l: password lengths

-e: character set (upper- and lowercase, alphanumeric characters, etc.)

-d: for managing service accounts

-s: for setting a specific password rather than generating one

Passgen’s manual explains all these parameters in detail.

Subscribe to 4sysops newsletter!

Passgen

9 Comments
  1. Me 14 years ago

    you could also store the passwords in a keepass database

  2. Thanks. KeePass looks like one of those password managers where you have to enter account by account. I recommended LockeNote because it allows you to secure the text file that passgen generated.

  3. steo 12 years ago

    the download link is offline. have you a backup location? i found 1.1 version sha1 441cdc362c009ec6b2c0b2cd0b9db26901e2bc30.
    the latest version sha1 should be fa19722348e9e0603f24c0ef9fc715010403bcfa according to this http://goo.gl/DMfT

  4. steo, thanks for the hint. It appears Softpedia has version 1.3.1. Please let me know if it worked.

  5. steo 12 years ago

    this is a simple program to generates random strong passwords using combination of alphabets, numerals, etc it’s not the passgen of this post.

  6. Hmm, thanks. It appears the tool has disappeared then. If you ever find it, please post a comment it here.

  7. Thanks a lot! I updated the post.

  8. kartnico 12 years ago

    A tool that does the same things but free : WinAdminPassword

    http://sourceforge.net/projects/winadminpasswd/

    You can print password with Webmin or a GLPI plugin : https://forge.indepnet.net/projects/winadminpassword

    Regards.

    Nico

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account