Empty Password not returning full results
joejsullivan opened this issue · 3 comments
Hi,
Maybe I'm looking at this or doing something wrong - I'm executing lines like this:
$accounts = Get-ADDBAccount -DatabasePath $path -BootKey $key -All | Where-Object samaccounttype -like User
$results = $accounts | Test-PasswordQuality
$riskyAccounts = $accounts | Where-Object LogonName -in $results.EmptyPassword
$riskyAccounts | Select-Object -Property SamAccountName .... | Export-Csv some-path
While this does produce fantastically interesting data, it is missing the hash for empty password- 31d6cfe0d16ae931b73c59d7e0c089c0
When looking at the password file directly, this hash is present, when analyzed through Get-ADDBAccount, it does not detect any empty password results.
Suggestions? Am I doing something wrong?
Thanks,
Joe
I think a workaround could be to enter the hash 31d6cfe0d16ae931b73c59d7e0c089c0 into the weak password hash sorted file and call it "empty password" in the output.
$results = $accounts | Test-PasswordQuality -WeakPasswordHashesSortedFile single-empty-hash.txt
Hello @joejsullivan , I double-checked the code behind the EmptyPassword test and it actually compares the NT hash against 31d6cfe0d16ae931b73c59d7e0c089c0:
if (this.Account.NTHash == null)
{
// The account has no password.
this.result.EmptyPassword.Add(this.Account.LogonName);
// All the remaining tests are based on NT hash, so we can skip them.
return;
}
if (HashEqualityComparer.GetInstance().Equals(this.Account.NTHash, NTHash.Empty))
{
// The account has an empty password.
this.result.EmptyPassword.Add(this.Account.LogonName);
// Skip the remaining tests, because they only make sense for non-empty passwords.
return;
}Could you please re-test? Maybe you are just missing the -IncludeDisabledAccounts parameter. Disabled accounts are more likely to have an empty password than enabled ones.
Thanks @MichaelGrafnetter. That's likely the issue. Thanks for the quick reply.
Joe