Weak Password Test Product Manual
To learn about this product, read the below tutorial or watch this brief Weak Password Test (WPT) video.
What is the Weak Password Test?
The Weak Password Test is a free tool that examines the passwords of the accounts in your Active Directory (AD) to determine if your organization is susceptible to password-related attacks.
The Weak Password Test will connect to AD to retrieve your password table using hashed passwords and encryption algorithms. The tool then analyzes the passwords against ten failure types, described in detail below.
The results will display which user accounts failed the test and why. This information can empower you to increase your organization's password complexity requirements, train your users on safe password practices, or take other actions to help bolster your cybersecurity posture.
Is my Information Safe?
Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in your AD. Passwords within AD are in a hashed format and will never be visible at any point. The test results will simply identify the user accounts which failed the test so you can decide how to correct that.
Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to disk. None of the information from your Active Directory will be transmitted to us at any point during the test.
System Requirements and Prerequisites
To run the Weak Password Test, the system you use must have the following:
- Windows 7 or higher (32 or 64-bit)
- Active Directory, running on Windows Server 2008 R2 or greater
- Ability to access the domain controller (DC)
- Internet access
- .NET Framework 4.5.2 (will be installed if needed)
- 300 MB hard disk space
You should also run this test on a system other than your Domain Controller as the scanning process can temporarily generate significant network traffic and CPU usage.
For installation, you will need the following information:
- A license key that you received upon signing up for the test
- A domain name of your Active Directory. For example, MyDomain.com or MyDomain.local.
- Internal IP of your Domain Controller (DC)
- Credentials to connect to your AD
The credentials you use to connect to Active Directory with Weak Password Test must have Replicating Directory Changes and Replicating Directory Changes All permissions enabled for the test to run successfully. This permission allows you to obtain a copy of your password table for analysis.
Installation and Setup
- First, make sure you read the system requirements and prerequisites (above) prior to installation. Then, sign up for your free Weak Password Test by navigating to https://info.knowbe4.com/weak-password-test.
- Upon signing up, we will email you a unique License Key, which you’ll need to enter prior to running the test.
- Download and run the installer file for the Weak Password Test.
- Review and agree to the License Agreement and then click Install to complete the installation.
- Launch Weak Password Test. Click Yes if prompted to allow it to run.
- Enter your unique License Key and click OK.
- Next, you'll need to enter the details listed below:
- The domain name of your Active Directory.
- Internal IP of your Domain Controller.
- The username and password for the account you created which has Replicating Directory Changes and Replicating Directory Changes All permissions enabled.
- After entering the above information, click Start Test when you are ready to begin your test.
- The test will analyze your Active Directory accounts for weak passwords. Depending on the size of your Active Directory and workstation performance, this process may take a minute or longer.
- Your results will be displayed on-screen as soon as the test is complete.
Types of Failure/Vulnerabilities
The Weak Password Test analyzes your data to look for ten different failure types which can leave your organization vulnerable to an attack:
|1) Weak Passwords
This means the affected account's password matched one of those listed in our Weak Password dictionary. These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
|2) Non-Unique Passwords
This failure indicates that the affected account shares a password with at least one other account.
|3) Empty Passwords
These are accounts that do not have a password defined.
|4) Clear Text Password
These are passwords stored in clear text in Active Directory. This means the users' AD passwords are stored using reversible encryption.
|5) Password Not Required
These are accounts that have the capability of not having a password.
|6) Password Never Expires
This account has a password that never expires.
|7) LM Hashes
This means the affected account uses a LAN manager hash which is an antiquated method. These passwords are vulnerable to brute force attacks and can be cracked within seconds.
|8) AES Keys Missing
Accounts affected by this were set up using weaker encryption methods and have no Advanced Encryption Standard (AES) keys.
Affected accounts were set up using the retired Data Encryption Standard (DES) mechanism. This could be a result of old software that doesn’t know how to react to AES.
|10) Pre-authentication Missing
Affected accounts have an important security mechanism turned off which can open up the account to offline, difficult-to-detect brute force attacks. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.
Analyzing Your Results
The results of the Weak Password Test will show you the number of accounts that are vulnerable, as well as those that are not vulnerable. You will see a pie chart that will compare the total number of vulnerabilities found and indicate the most prevalent password vulnerabilities in your organization.
Each of your AD accounts will be listed and a checkmark that indicates the specific vulnerabilities that were found on that particular account. You can click each of the vulnerabilities on the left to filter the results to only show the accounts which have that vulnerability. You can also search for a specific account by entering characters into the search box.
You can filter the results by failure type if you'd like to analyze a specific vulnerability. To do so, click on the failure type found on the left side of the program to only display that failure type.
You can view your results on-screen instantly, or you can export the results to disk as an Excel Spreadsheet (.xlsx) or PDF. If you plan on rerunning the test, make sure you save your results first.
- Filter your results.
- Search for specific accounts.
- The checkmarks will indicate the type of password vulnerability on each account.
- Export your results.
- Click to re-run the test.