Technical Article

Find weak login passwords in your server

,

Have you ever tried to search for all logins in your SQL Server who are using weak passwords?

Here are some example of weak passwords you can use to define your weak password list.

You can create a table to contain weak password list instead of using table variable in the script and convert this script into a stored procedure to be able to use more frequently.

The method in the script can be used to check weak passwords in your user tables where they contain user names and hashed password.

I tried this script in the server I'm working on and found 3 logins containing weak passwords. Of course, I told them to change immediately. 🙂

This script works with SQL Server 2005 or later.

DECLARE @WeakPwdList TABLE(WeakPwd NVARCHAR(255))
--Define weak password list
--Use @@Name if users password contain their name
INSERT INTO @WeakPwdList(WeakPwd)
SELECT ''
UNION SELECT '123'
UNION SELECT '1234'
UNION SELECT '12345'
UNION SELECT 'abc'
UNION SELECT 'default'
UNION SELECT 'guest'
UNION SELECT '123456'
UNION SELECT '@@Name123'
UNION SELECT '@@Name'
UNION SELECT '@@Name@@Name'
UNION SELECT 'admin'
UNION SELECT 'Administrator'
UNION SELECT 'admin123'
-- SELECT * FROM @WeakPwdList
SELECT t1.name [Login Name], REPLACE(t2.WeakPwd,'@@Name',t1.name) As [Password]
FROM sys.sql_logins t1
INNER JOIN @WeakPwdList t2 ON (PWDCOMPARE(t2.WeakPwd, password_hash) = 1 
OR PWDCOMPARE(REPLACE(t2.WeakPwd,'@@Name',t1.name),password_hash) = 1)

Rate

3.25 (8)

You rated this post out of 5. Change rating

Share

Join the discussion and add your comment

Share

Rate

3.25 (8)

You rated this post out of 5. Change rating

Related content

External Article

Using TRY/CATCH to Resolve a Deadlock in SQL Server 2005

A deadlock is an inevitable situation in the RDBMS architecture and very common in high-volume OLTP environments. A deadlock situation is when at least two transactions are waiting for each other to complete. The Common Language Runtime (CLR) of .NET lets SQL Server 2005 provide developers with the latest way to deal with error handling. In case of a deadlock, the TRY/CATCH method is powerful enough to handle the exceptions encountered in your code irrespective of how deeply nested the application is in a stored procedure.

2005-11-25

3,655 reads