12 June,2013 by Jack Vamvas
How can I find weak passwords in SQL Server logins?
Identifying weak passwords is an important part of Security Risk Analysis. Setting up a procedure to check for weak passwords should be part of the DBA daily healthcheck. It is straightforward to check for a weak password using a SELECT statement and the PWDCOMPARE function.
The PWDCOMPARE function accepts 2 arguments – the first is the text password and the varbin value of the SQL password hash
--find SQL login with blank passwords select name,type_desc,create_date from sys.sql_logins where pwdcompare('', password_hash) = 1 --find SQL login with password same as name select name,type_desc,create_date from sys.sql_logins where pwdcompare(name, password_hash) = 1