Weak Password Test product manual

To learn about this product, read the below tutorial or watch this brief Weak Password Test (WPT) video.

JUMP TO:
What is Weak Password Test?
How Does It Work?
Is My Information Safe?
System Requirements/Prerequisites
Installation and Setup
Analyzing Your Results
-Types of Failure/Vulnerabilities
-Exporting Reports
Frequently Asked Questions (FAQs)

What is Weak Password Test?

Weak Password Test is a free tool which examines the passwords of accounts in your Active Directory (AD) to determine if your organization is susceptible to password-related attacks.

The results will display which user accounts failed the test and why. This information can empower you to increase your organization's password complexity requirements, train your users on safe password practices, or take other actions to help bolster your cyber security posture.

Weak Password Test Interface

How Does it Work?

The Weak Password Test will connect to AD to retrieve your password table (containing hashed passwords) and encryption algorithm. The tool then analyzes the passwords against ten failure types, described in detail below.

Is my Information Safe?

Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in AD. Passwords within AD are in a hashed format and will never be visible at any point. The test results will simply identify the user accounts which fail the test so you can decide how to remedy that.

Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to disk. None of the information from your Active Directory will be transmitted to us at any point during the test.

System Requirements/Prerequisites

System Requirements

To run Weak Password Test, the system you use must have the following:

Windows 7 or higher (32 or 64-bit)
Active Directory, running on Windows Server 2008 R2 or greater
Ability to access the domain controller (DC)
Internet access
.NET Framework 4.5.2 (will be installed if needed)
300 MB hard disk space

You should also run this test on a system other than your DC as the scanning process can temporarily generate significant network traffic and CPU usage.

Prerequisites

For installation, you will need the following information:

A license key, emailed to you upon signing up for the test
Domain name of your Active Directory (For example: MyDomain.com or MyDomain.local)
Internal IP of your Domain Controller (DC)
Credentials to connect to your AD

IMPORTANT! The credentials you use to connect to Active Directory with Weak Password Test must have “Replicating Directory Changes” and “Replicating Directory Changes All” permissions for the test to run successfully. This permission allows you to obtain a copy of your password table for analysis.

This article will show you how to quickly add these required permissions to an account in AD: How to Grant "Replicating Directory Changes" Permissions
A domain admin does not have permission by default to access this information, so using the tool with a domain admin account will not necessarily allow you to run the test successfully.
We strongly recommend creating a new account in AD with these permissions for the purposes of running this test. Once the test is complete, you should delete this new account in accordance with the principle of least privilege.
Why create a new account? Creating a new account will make it easier to determine when this test took place and which account accessed the information, should you need to look for that information in the future. It also makes it easier to remove those permissions: once the test is done, simply delete the newly-added user account.

Installation and Setup

(1) First, make sure you read the system requirements and prerequisites (above) prior to installation. Then, sign up for your free Weak Password Test by navigating to https://info.knowbe4.com/weak-password-test

Upon signing up, we will email you a unique license key, which you’ll need to enter prior to running the test.

(2) Download and run the installer file for Weak Password Test. Review and agree to the License Agreement and then click Install to complete the installation. Weak Password Test will be automatically saved to your Desktop.

(3) Launch Weak Password Test. Click Yes if prompted to Allow it to run.

(4) Next, enter your unique License Key, which was emailed to the email address you signed up with. Click OK.

(5) Next, you'll need to enter the details listed below.

(a) Domain name of your Active Directory (For example, mydomain.com or mydomain.local)
(b) Internal IP of your Domain Controller (DC) (For example, 10.20.10.10)
(c) The username and password for the account you created which has "Replicating Directory Changes" and “Replicating Directory Changes All” permissions

After entering the above information, click Start Test when you are ready to begin your test.

(6) The test will analyze your Active Directory accounts for weak passwords. This process usually takes less than a minute to complete but may take longer depending on your Active Directory and workstation performance.

(7) Your results will be displayed on-screen as soon as the test is complete.

Analyzing Your Results

The results of Weak Password Test will show you the number of accounts which are vulnerable, as well as those that are not vulnerable. You will see a pie chart which will compare the total number of vulnerabilities found, indicating what password vulnerabilities are most prevalent in your organization.

Each of your AD accounts will be listed and a checkmark will indicate the specific vulnerabilities that were found on that particular account. You can click each of the vulnerabilities on the left to filter the results to only show the accounts which have that vulnerability. You can also search for a specific account by entering characters into the search box.

Disabled AD accounts are not included in your WPT scan.

Types of Failure/Vulnerabilities

The Weak Password Test analyzes your data to look for ten different failure types which can leave your organization vulnerable to an attack, listed below:

	1) Weak Passwords This means the affected account's password matched one of those listed in our Weak Password dictionary (weakpasswords.txt). These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
	2) Non-Unique Passwords This failure indicates that the affected account shares a password with at least one other account.
	3) Empty Passwords These are accounts which do not have a password defined.
	4) Clear Text Password These are passwords stored in clear text in Active Directory (This means the users' AD passwords are stored using reversible encryption).
	5) Password Not Required These are accounts which have the capability of having no password on the account.
	6) Password Never Expires This account has a password that never expires.
	7) LM Hashes This means the affected account uses a LAN manager hash. This an antiquated method of hashing passwords. These passwords are vulnerable to brute force attacks and can be cracked by hackers within seconds.
	8) AES Keys Missing Accounts affected by this were set up using older functional AD levels and as such have no Advanced Encryption Standard (AES) keys. As such, they use weaker encryption methods.
	9)DES-only Encryption Affected accounts were set up using the older and since retired Data Encryption Standard (DES) mechanism. This could be a result of old software which doesn’t know how to react to AES.
	10) Pre-authentication Missing Affected accounts have an important security mechanism turned off which can open up the account to offline, difficult-to-detect brute force attacks. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.

You can filter the results by failure type if you'd like to analyze a specific vulnerability. Simply click on the failure type towards the left side of the program. Once it is highlighted orange, it will display only that failure type.

Exporting Reports

You can view your results on-screen instantly, but you can also download the results to disk as an Excel Spreadsheet (.xlsx) or PDF. You should save your results if you plan on rerunning the test.

To do so, click Export to Excel or Export to PDF (as shown below). A prompt will appear that will allow you to name your file and choose where to save it.

Frequently Asked Questions (FAQs)

Below are questions you may have regarding Weak Password Test. If you don't see your question answered below, contact support.

A. Can I see what the weak passwords are?

No. The passwords are hashed and cannot be displayed.

B. Are any log files generated during the test?

No. No log files are created. You can save your results by exporting to Excel or PDF.

C. I received an error message and my test did not run. What do I do?

If you received an error and could not complete the test, check the chart below to analyze what the issue may be:

Error Message	Issue
The Active Directory account you are attempting to run the test with does not have Replicating Directory Changes Permissions. Please view the required Prerequisites in our manual, linked below.	The account you are using for the test does not have the proper permissions. Make sure you've created an account with Replicating Directory Changes AND Replicating Directory Changes - All Permissions. See above.
Test was unable to run due to invalid user name and/or password. Please check your credentials and try the test again.	We were unable to connect to your Active Directory using the credentials you provided. Make sure your user name and password are correct and try to run the test again.
Server is unavailable. Please check your Domain DNS Name and try the test again.	This means your Domain DNS name is incorrect, or incorrectly formatted. Make sure you use the format of domain.com or domain.local and attempt to run the test again.
Server is unavailable. Please check your Domain Controller and try the test again.	This means your Domain Controller IP is incorrect, or incorrectly formatted. Double check the IP and attempt to run the test again.
The license validation failed.	This is likely to mean one of two things: a) either the license key you are using is invalid, or b) you are attempting to validate the license key through a proxy and it is failing as a result of that. If the error is due to a proxy, simply allow connections to this domain in your proxy settings to allow the validation of your license key to occur: https://api.wpt.knowbe4.com/v1/licenses

D. What is the WeakPasswords.txt document and what is it used for?

Our Weak Passwords dictionary (weakpasswords.txt) contains over 11 million weak and/or compromised passwords from past data breaches. The file is located in C:\ProgramData\KnowBe4\Weak Password Test\Dictionaries.

Hackers use similar dictionaries to attempt to crack your organization’s passwords. This type of weak password is only one of the vulnerabilities we are looking for, however. The Weak Password Test analyzes ten different variations of password vulnerabilities.

E. Can I run this test multiple times?

Absolutely. If you want to run the test again, just click the Rerun test button, as shown below. Be sure to download a PDF or Excel sheet of your current results before running a new test.

F. Can I run this test if I’m using Azure?

No.

G. My anti-virus flagged this as dangerous. Is it?

No, it is not dangerous. Weak Password Test’s behavior could mimic that of a password-cracking tool used by hackers, which is why your antivirus may have flagged it as potentially dangerous.

H. I had several users fail the test. What do I do now?

First and foremost, train your users on proper password practices with security awareness training and remind them often. It is important for them to know that hackers can crack a password within seconds with the right tools in hand. KnowBe4 offers several courses which you can train your users with that covers these topics.

For many of the vulnerabilities, you’ll also want to enforce stricter password requirements in your organization. We strongly recommend increasing your password complexity requirements and setting a rule to ensure passwords expire on a regular basis.

While we cannot advise you on the specifics of how to remedy all of the password vulnerabilities in your organization, we can point you in the direction of some great resources which can help.

TechNet: Configuring Password Policies
TechNet: Best Practices for Enforcing Password Policies
Microsoft: Password Guidance (Downloadable PDF)