Technical Article

Find weak login passwords in your server

,

Have you ever tried to search for all logins in your SQL Server who are using weak passwords?

Here are some example of weak passwords you can use to define your weak password list.

You can create a table to contain weak password list instead of using table variable in the script and convert this script into a stored procedure to be able to use more frequently.

The method in the script can be used to check weak passwords in your user tables where they contain user names and hashed password.

I tried this script in the server I'm working on and found 3 logins containing weak passwords. Of course, I told them to change immediately. 🙂

This script works with SQL Server 2005 or later.

DECLARE @WeakPwdList TABLE(WeakPwd NVARCHAR(255))
--Define weak password list
--Use @@Name if users password contain their name
INSERT INTO @WeakPwdList(WeakPwd)
SELECT ''
UNION SELECT '123'
UNION SELECT '1234'
UNION SELECT '12345'
UNION SELECT 'abc'
UNION SELECT 'default'
UNION SELECT 'guest'
UNION SELECT '123456'
UNION SELECT '@@Name123'
UNION SELECT '@@Name'
UNION SELECT '@@Name@@Name'
UNION SELECT 'admin'
UNION SELECT 'Administrator'
UNION SELECT 'admin123'
-- SELECT * FROM @WeakPwdList
SELECT t1.name [Login Name], REPLACE(t2.WeakPwd,'@@Name',t1.name) As [Password]
FROM sys.sql_logins t1
INNER JOIN @WeakPwdList t2 ON (PWDCOMPARE(t2.WeakPwd, password_hash) = 1 
OR PWDCOMPARE(REPLACE(t2.WeakPwd,'@@Name',t1.name),password_hash) = 1)

Rate

3.25 (8)

You rated this post out of 5. Change rating

Share

Share

Rate

3.25 (8)

You rated this post out of 5. Change rating