To learn about Weak Password Test (WPT), read the sections below or watch a brief Weak Password Test (WPT) video.
Introduction to WPT
WPT is a free tool that examines your Activity Directory (AD) for user passwords that are susceptible to password-related attacks.
WPT connects to your AD to retrieve your password table using hashed passwords and encryption algorithms. The tool then analyzes the passwords against ten potential password vulnerabilities.
Your results will display which user accounts failed the test and why. This information can empower you to increase your organization's password complexity requirements, train your users about safe password practices, or take other actions to help your organization's security.
System Requirements and Prerequisites
To run WPT, your system must meet the following requirements:
- Windows 10 or later (32 or 64-bit), Windows Server 2016 or later
- Active Directory (AD), running on Windows Server 2008 R2 or later
- Ability to access the domain controller (DC)
- Internet access
- .NET Framework 4.7.2, will be installed if needed
- At least two processors
- At least 2GB of RAM
- At least 1GB of hard disk drive (HDD) space available on your system drive
- User Account Control (UAC) enabled
We recommend running this test on a system other than your DC, as the scanning process can temporarily generate significant network traffic and central processing unit (CPU) usage.
For installation, you will need the following information:
- The license key that you received via email upon signing up for the test.
- The domain name of your AD. For example, MyDomain.com or MyDomain.local.
- The name of your DC.
- The credentials to connect to your AD.
Note: For the test to run successfully, the credentials you use to connect to your AD with WPT must have Replicating Directory Changes and Replicating Directory Changes All permissions enabled. These permissions allow you to obtain a copy of your password table for analysis.
Installation and Setup
Once you’ve met the system requirements and prerequisites, you can install and set up WPT. To get started, follow the steps below:
- Sign up to download the WPT tool on our WPT page and download the WPT installation file.
- Check your email to retrieve your unique WPT license key, which you’ll need to use during the setup process.
- Run the WPT installation file.
- Review and accept the license agreement. Then, click Install to complete the installation.
- Click Finish to launch WPT.
- Enter your license key from Step 1 and click OK.
- Under Active Directory Details, enter the required details from your Active Directory (AD):
- The domain name of your AD
- The name of your domain controller (DC)
- Under Credentials, enter the username and password for the account you created, which has Replicating Directory Changes and Replicating Directory Changes All permissions enabled.
- Click Start Test to start your test.
- The test will analyze your AD accounts for weak passwords. Depending on the size of your AD and workstation performance, this process may take a minute or longer.
- Your results will be displayed on-screen as soon as the test is complete. To understand each vulnerability, read the next section.
Understanding Your Results
Your WPT results will indicate how many accounts were vulnerable and what vulnerability affected each account. The below sections will help you navigate your results and understand the types of password vulnerabilities found.
Navigating Your Results
Your Active Directory (AD) accounts will be listed as individual rows. In each row, one or more checkmarks indicate the specific vulnerabilities found for that particular account. You can also search for a specific account by entering characters into the search box.
A pie chart compares the number and type of vulnerabilities found and can be used to determine your organization's most common password vulnerabilities.
You can filter the results by failure type if you would like to analyze a specific vulnerability. To do so, click the specific failure type on the left side of the window, and only accounts with that type will remain in the list.
Below is additional information about the WPT user interface (shown below):
- You can filter your results by failure type by clicking the sidebar on the left side of the page.
- You can search for specific AD accounts in the search bar.
- The checkmarks in each row indicate the type of password vulnerability found for each account.
- You can export your results as an Excel Spreadsheet or a PDF file.
- Click Rerun Test to run WPT again. We recommend that you save your current results before clicking this button.
WPT analyzes your data to look for ten different failure types that can leave your organization vulnerable to an attack, detailed below.
1. Weak Password
This failure indicates that the affected account's password matched one of those listed in our weak password dictionary. These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
2. Shared Password
This failure indicates that the affected account shares a password with at least one other account.
3. Empty Password
This failure includes accounts that do not have a set password.
4. Clear Text Password
This failure includes passwords that are stored in clear text in an Active Directory (AD). This means the users' AD passwords are stored using reversible encryption.
5. Password Not Required
This failure includes accounts that have the capability of not having a password.
6. Password Never Expires
This failure indicates that the account has its password timeout set to zero. Because of this setting, even if the Password never expires check box in the user’s properties is unchecked, their password will never expire. WPT will check password expiration settings in your organization’s domain policies, fine-grained password policies, and user properties.
7. LM Hash Password
This failure indicates that the affected account uses a Local Area Network (LAN) manager hash, which is an antiquated method. These passwords are vulnerable to brute force attacks and can be quickly cracked.
8. AES Encryption Not Set
This failure indicates that the account doesn’t use Advanced Encryption Standard (AES) to encrypt the user’s password. AES encrypts passwords with a 128-bit or 256-bit key. Passwords that use AES encryption are less vulnerable to attacks.
9. DES-Only Encryption
This failure indicates that affected accounts were set up using the retired Data Encryption Standard (DES) mechanism. This could be a result of old software that doesn’t know how to react to AES.
10. Missing Pre-Authentication
This account may be at risk of a brute force attack. Brute force attacks can occur offline and are difficult to detect.
There are different settings you can choose from to allow you to customize your WPT. Read the subsections below for more information.
You can enable or disable two password vulnerabilities from your WPT scan: AES Encryption No Set or Password Never Expires. To access these settings, click the gear icon in the top-right corner of the window.
WPT uses a large password library to determine if a user's password is weak. If there are specific passwords you would like to include in the WPT scan, you can import a text file including these passwords. To access this setting, click the gear icon in the top-right corner of the window.
Before importing your text file, make sure that your file is less than 10MB and that you only include one password on each line of the file.
You can change your WPT language by clicking the language name in the bottom-right corner of the window.
Your Active Directory (AD) and user information are kept secure while using WPT. The test results only identify the user accounts that failed the test and why so that you can take action.
Below are details about how your data is handled during WPT:
- None of the information from your AD will be transmitted to KnowBe4 at any point during the test.
- The data pulled from your AD is encrypted.
- WPT does not display the passwords of any of your AD user accounts.
- Passwords in AD are in a hashed format, and the hashed format will not be visible during the test.
- The information obtained during the test is saved in local memory, not to disk.