To learn about the Weak Password Test (WPT), read the below tutorial or watch this brief Weak Password Test (WPT) video.
What is the WPT?
The WPT is a free tool that examines the passwords of the accounts in your Active Directory (AD) to determine if your organization is susceptible to password-related attacks.
The WPT will connect to AD to retrieve your password table using hashed passwords and encryption algorithms. The tool then analyzes the passwords against ten failure types, described in detail below.
The results will display which user accounts failed the test and why. This information can empower you to increase your organization's password complexity requirements, train your users on safe password practices, or take other actions to help bolster your cybersecurity posture.
Is My Information Safe?
Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in your AD. Passwords within AD are in a hashed format and will never be visible at any point. The test results will simply identify the user accounts which failed the test so you can decide how to correct that.
Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to disk. None of the information from your Active Directory will be transmitted to us at any point during the test.
System Requirements and Prerequisites
To run the Weak Password Test, the system you use must have the following:
- Windows 10 or later (32 or 64-bit), Windows Server 2016 or later
- Active Directory (AD), running on Windows Server 2008 R2 or later
- Ability to access the domain controller (DC)
- Internet access
- .NET Framework 4.7.2 (will be installed if needed)
- At least two processors
- At least 2GB of RAM
- At least 1GB of hard disk drive (HDD) space available on your system drive
- User Account Control (UAC) enabled
You should also run this test on a system other than your DC as the scanning process can temporarily generate significant network traffic and central processing unit (CPU) usage.
For installation, you will need the following information:
- A license key that you received upon signing up for the test
- A domain name of your AD. For example, MyDomain.com or MyDomain.local.
- Name of your DC
- Credentials to connect to your AD
Note: For the test to run successfully, the credentials you use to connect to your AD with Weak Password Test must have Replicating Directory Changes and Replicating Directory Changes All permissions enabled. This permission allows you to obtain a copy of your password table for analysis.
Installation and Setup
Once you’ve met the system requirements and prerequisites, you can install and set up Weak Password Test. To install and set up Weak Password Test, follow the steps below:
- First, make sure you read the system requirements and prerequisites prior to installation. Then, sign up for a free Weak Password Test on our website.
- Upon signing up, we will email you a unique License Key, which you’ll need to enter prior to running the test.
- Download and run the installer file for the WPT.
- Review and accept the License Agreement. Then, click Install to complete the installation.
- Click Finish to launch the WPT.
- Enter your unique License Key and click OK.
- Next, you'll need to enter the details listed below:
- The domain name of your Active Directory.
- Name of your Domain Controller.
- The username and password for the account you created which has Replicating Directory Changes and Replicating Directory Changes All permissions enabled.
After entering the above information, click Start Test when you are ready to begin your test.
The test will analyze your Active Directory accounts for weak passwords. Depending on the size of your Active Directory and workstation performance, this process may take a minute or longer.
Your results will be displayed on-screen as soon as the test is complete.
Types of Failure and Vulnerabilities
The Weak Password Test analyzes your data to look for ten different failure types which can leave your organization vulnerable to an attack:
1. Weak Password
This failure indicates that the affected account's password matched one of those listed in our Weak Password dictionary. These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
2. Shared Password
This failure indicates that the affected account shares a password with at least one other account.
3. Empty Password
This failure includes accounts that do not have a set password.
4. Clear Text Password
This failure includes passwords that are stored in clear text in an Active Directory. This means the users' AD passwords are stored using reversible encryption.
5. Password Not Required
This failure includes accounts that have the capability of not having a password.
6. Password Never Expires
This failure indicates that the account has its password timeout set to zero. Because of this setting, even if the Password never expires check box in the user’s properties is unchecked, their password will never expire. The WPT will check password expiration settings in your organization’s domain policies, fine-grained password policies, and user properties.
7. LM Hash Password
This failure indicates that the affected account uses a Local Area Network (LAN) manager hash, which is an antiquated method. These passwords are vulnerable to brute force attacks and can be cracked in seconds.
8. AES Encryption Not Set
This failure indicates that the account doesn’t use Advanced Encryption Standard (AES) to encrypt the user’s password. AES encrypts passwords with a 128-bit or 256-bit key. So, passwords that use AES encryption are less vulnerable to attacks.
9. DES-Only Encryption
This failure indicates that affected accounts were set up using the retired Data Encryption Standard (DES) mechanism. This could be a result of old software that doesn’t know how to react to AES.
10. Missing Pre-Authentication
This failure indicates that affected accounts have an important security mechanism turned off. Without these security mechanisms, the accounts may be at risk of brute force attacks. These attacks can occur offline and are difficult to detect. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.
Analyzing Your Results
The results of the Weak Password Test will show you the number of accounts that are vulnerable, as well as those that are not vulnerable. You will see a pie chart that will compare the total number of vulnerabilities found and indicate the most prevalent password vulnerabilities in your organization.
Each of your Active Directory (AD) accounts will be listed and a checkmark that indicates the specific vulnerabilities that were found on that particular account. You can click each of the vulnerabilities on the left to filter the results to only show the accounts which have that vulnerability. You can also search for a specific account by entering characters into the search box.
You can filter the results by failure type if you'd like to analyze a specific vulnerability. To do so, click on the failure type found on the left side of the program to only display that failure type.
You can view your results on-screen instantly, or you can export the results to disk as an Excel Spreadsheet (.xlsx) or PDF file. If you plan on rerunning the test, make sure you save your results first.
- Filter your results.
- Search for specific accounts.
- The checkmarks will indicate the type of password vulnerability on each account.
- Export your results.
- Click to rerun the test.