Sign in to follow this  
Followers 0
Floutsch

Check if logged in account has a password set

5 posts in this topic

Hi there.

A few days ago I started with AutoIt and I already love it (despite the syntax which is kinda unkommon to me as my Basic times are long ago by now ^^)

Sparing you a longer sermon, here comes my issue: I'm searching for a way to determine if the currently logged on user account has a password set. To be clear about this, I don't want to now anything about that password beyond it's existence... The thing is, that there needs to be a password set and I'd like to check for that, telling the user to set one if that's not already the case.

Oh, by the way - I've searched the forum for an answer to that. 23 pages actually, then I was told, I hit the search limit - maybe I've used the wrong terms :)

Any idea is greatly appreciated!

Kind regards,

Floutsch

Share this post


Link to post
Share on other sites



Hi there.

A few days ago I started with AutoIt and I already love it (despite the syntax which is kinda unkommon to me as my Basic times are long ago by now ^^)

Sparing you a longer sermon, here comes my issue: I'm searching for a way to determine if the currently logged on user account has a password set. To be clear about this, I don't want to now anything about that password beyond it's existence... The thing is, that there needs to be a password set and I'd like to check for that, telling the user to set one if that's not already the case.

Oh, by the way - I've searched the forum for an answer to that. 23 pages actually, then I was told, I hit the search limit - maybe I've used the wrong terms :)

Any idea is greatly appreciated!

Kind regards,

Floutsch

I wouldn't want you to be able to tell that from a script. None of your business and too useful for phishing accounts.

If you are a responsible administrator, you will have set policy requiring passwords, and requiring them to be changed periodically (like every 90 days). Those policies will force anyone without a password to set one without having to phish danerous details about the accounts.

<_<


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

If you are a responsible administrator, you will have set policy requiring passwords, and requiring them to be changed periodically (like every 90 days). Those policies will force anyone without a password to set one without having to phish danerous details about the accounts.

Uhm... well, seems like i should not spare you all of the details... It's about an home office environment, where I'm obviously not the administrator of the machine in question. That's why I can't force using passwords on the user. What I'm scripting the installation of the VPN client, a special VoIP-Client to make calls via the company line and so on.

I wouldn't want you to be able to tell that from a script. None of your business and too useful for phishing accounts.

I do not quite get that - I wrote that I don't want to know what the pasword is. I don't think there'd be an easy way to find that out and that's how it is supposed to be. I just need to know if there is a password set. Any password. Because if not, I will have to tell the user to set one. And here comes the reason:

During the install process a new user account (a restricted one) is created and from that account the setup proceeeds... well, the scripts uses "#RequireAdmin" so the user has to grant admin rights. This just doesn't work when the account you use doesn't have a password set (which I personally guess is rather likely on private computers...). Feel free to try it - I didn't know that as simulating the home environment on a virtual machine is the first time I hwv no passwords...

So I'd like to check for that in advance and tell the user to create a pasword.

Which part exactly gave you the idea I plant to do anything hostile? :)

Share this post


Link to post
Share on other sites

If you can make a list of accounts without passwords, it is the same thing as a list of accounts that you have the password for -- you can then use those accounts on the machine.

But by 'you' I mean hypothetical cracker, not you personally. It's not that I thought you were necessarily trying something hostile, but the fact that the information you want would be so useful to someone who was hostile that it should be very hard/impossible to determine.

Alas, it ain't so. It's actually so trivial that there is no additional harm in stating it: RunAsSet:

Opt("RunErrorsFatal", 0)
RunAsSet(@UserName, "", "")
Run (@ComSpec & " /c Dir", "", @SW_HIDE)
If @error Then
    ConsoleWrite("Debug: Failed" & @LF)
Else
    ConsoleWrite("Debug: Worked" & @LF)
EndIf

Anyone allowing accounts with no password should get a very pointed notification about how bad an idea that is. So bad it should be prevented with policies on the machine. All this BTW, applies just as much to OS X or Linux as it does to Windows, the other OS's are just generally better about default policies on such things.

<_<


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

If you can make a list of accounts without passwords, it is the same thing as a list of accounts that you have the password for -- you can then use those accounts on the machine.

Hm... right. I mean, it would be really bad being able to check for non-set passwords machine-wide. But for the logged in user... Well, maybe I should think a little bit more like a blackhat - to know what they could be up to... Wouldn't have thought of the possibility to detect vulnerable accounts that way :-D

But by 'you' I mean hypothetical cracker, not you personally. It's not that I thought you were necessarily trying something hostile, but the fact that the information you want would be so useful to someone who was hostile that it should be very hard/impossible to determine.

Regarding the first sentence - honestly I misunderstood that 'you' as personally before <_< Thanks for making that clear.

Alas, it ain't so. It's actually so trivial that there is no additional harm in stating it: RunAsSet:

Opt("RunErrorsFatal", 0)
RunAsSet(@UserName, "", "")
Run (@ComSpec & " /c Dir", "", @SW_HIDE)
If @error Then
    ConsoleWrite("Debug: Failed" & @LF)
Else
    ConsoleWrite("Debug: Worked" & @LF)
EndIf
Seeing it now, I really could have thought of that!

Anyone allowing accounts with no password should get a very pointed notification about how bad an idea that is. So bad it should be prevented with policies on the machine. All this BTW, applies just as much to OS X or Linux as it does to Windows, the other OS's are just generally better about default policies on such things.

:)

I totally agree! The bad thing is, that MS nearly forces you to have empty passwords with XP. Which again leads to my desire to check for that.. Creating accounts via the GUI you just state a user name and that's it. That's btw the reason my script does that by calling "net user /add ..." :P

Concluding remark: Thank's for your help!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0