Re: Detect empty password
From: Eduardo Francos (efrancos_at_wanadoo.fr)
Date: Sun, 17 Apr 2005 09:22:15 +0200
> Eduardo Francos <email@example.com> wrote in news:4260c729$0$25023
>>>Eduardo Francos <firstname.lastname@example.org> wrote in
>>>>I'm looking for a way to detect whether an account has an empty
>>>>password. I cannot use the standard API functions (ex: LogonUser) to
>>>>validate passwords because they increment the bad password count when
>>>>the account has a valid non empty password.
>>>... But you have to get the SAM database first... (good luck
>>My software is a replacement GINA running as SYSTEM so it has access
>>rights to the SAM database. Actually I can access the SAM database as a
>>logged on user in the Administrators group after changing its
>>permissions to give Administrators Read rights.
> Will this software work in a domain situation?
> One of the reasons why the welcome screen isn't available in Domain
> situations is it can easily hit this account lockout policy. Imagine a
> network of XP Welcome screens iterating through each account to determine
> if they have blank passwords.
> Also, some systems don't use a SAM at all (a replacement GINA may
> implement a completely different database for its checking). And even you
> did have a SAM, you can't rely on it storing LM hashes (it might use NTLM
> hashes or Kerberos tickets).
Right, trying to match an empty password to the SAM database doesn't
seem to be a good direction.
Microsoft scheme is based on the suposition that when a user selects an
account he/she _will_ log in with it after entering the right password,
so the account lockout counter gets reset immediately.
If they can live with it then for the time being we'll have to live with
it too :-(
Currently our software, NaturalLogin, is not targeted at domain
environments, only stand alone and workgroup computers.
By the way, there is a posting in this newsgroup inviting to participate
in our public beta test campaign. If you're interested look for the
subject "Search Beta Test :secure login without Password" or go to
Our next release will support logging in to domains. Based on our
research we can safely assume that a domain user "always" has a
password. For those few that take the risk of working on a domain
without a password it shouldn't be a major problem to ask for it and let
the user leave it empty. Moreover, our accounts allow for preinputting
the password (security is ensured among others by a hardware key) so
even this can be avoided.
Concerning the account lockout, NaturalLogin accounts used to login into
a domain must be configured as such so knowing that we can skip the
check for an empty password eliminating the problem altogether.