Check current/last logged in user password

accm
New Contributor II

Hoping someone can help.

I am attempting to write an EA that determines if a the current/last logged in user's password is still our default password (meaning that they never reset locally it after they started). I know that using global policy, I can determine if the password meets specific complexity, but I am looking for those that contain a specific string of characters. We are not bound to AD.

Thanks in advance for your help!

10 REPLIES 10

JustDeWon
Contributor III

@accm .. Maybe this will help you. Kinda put you on the track you're going for.. you can get a last time password was set from that discussion script...

accm
New Contributor II

@JustDeWon Thank you!

This helps somewhat - however, I'm looking for a specific string within the user's password.

An example would be if we set all new user's local password to "newuser123", how can I write an EA to find all computers with local users that have "newuser123" as their password?

andrew_nicholas
Valued Contributor

Your best bet might be to use a response script to try and use SU into the users shell and then write a file that your EA checks.

[Edit]: Just a rough idea, but you might be able to use the first script to call the second and then test on the file ownership.

#!/bin/bash
username=""
password=""
testPath="/Library/Company"
testFile="$testPath/.passwdtst"
expectFile="/path/to/file.sh"

mkdir -p "$testPath"
touch "$testFile"


sh "$expectFile" "$username" "$password" "$testFile"
#!/usr/bin/expect -f
set username [lindex $argv 0];
set password [lindex $argv 1];
set testfile [lindex $argv 2];

spawn su "$username"
expect {
    "Password:" {
        send "$password
"
        spawn chown "$username" "$testfile"
        send "exit
"
        interact
    }
}

SimonLovett
New Contributor III

If they are local accounts, the users passwords will be stored locally as hashes.
I think if you create a log in as a user, set a password of "newuser123", and use

sudo defaults read /var/db/dslocal/nodes/Default/users/${USER}.plist

(stolen from here https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored?rq=1is for that user)

You may be able to identify users with an identical hash by recursively reading the password hash for all users and comparing it to your known hash.

It might be more difficult than that, but if that is the answer then the right formatted dscl command would give you a list of users to test and a suitable while do done loop could work on that list to do the comparison and output a list of accounts whose hash matches.

Not got time to play with this today, just a few thoughts, however someone might come along and either say that this wouldn't work as my knowledge of local accounts and password encryption may be lacking. Alternatively someone else might go, "Yep, that would work, here is the script" :)

You could then use a similar command to scan through the local users password hashes and look for matches

andrew_nicholas
Valued Contributor

@SimonCU I'm not sure the hashes would be the same as they should each require a randomize salt at the passwords setting, so that even if two accounts had the same password they should have two totally different hashes.

SimonLovett
New Contributor III

@andrew.nicholas, possibly not - been a long while since I had to hack around with local passwords :), but the commentary on the article below is interesting regarding salting , (if it still works, or indeed worked in the first place...), quite a long heavy article 'though and probably a lot of work to turn it into an EA which could get broken by the next Apple release :(

https://apple.stackexchange.com/questions/220729/what-type-of-hash-are-a-macs-password-stored-in/220863

JustDeWon
Contributor III

Understood @accm ... Take a look here.. This could possibly help you with your string

accm
New Contributor II

This is what we attempted, but I think that we're getting stuck with the user variable.

#!/bin/sh
User="$3"
BadPassword="newuser123"
checkpass=`dscl /Local/Default authonly $User $BadPassword; echo $?`
if [ "$checkpass" -eq 0 ]; then
    echo "$User never changed their password!"
fi

JustDeWon
Contributor III

why not just run a script for current users, who's never changed their password to force a password change. Then implement a policy for new users to change their password upon login.

That may be the easiest route to take on this.

accm
New Contributor II

We were able to solve using:

#!/bin/sh
has_default_pass='NO'
default_pass="newuser123"

# interate through all local user accounts and compare password
for user in `dscl . list /Users | grep -v ^_.*`; do
    checkpass=`dscl /Local/Default authonly $user $default_pass; echo $?`
    if [ $checkpass -eq 0 ]; then
        has_default_pass='YES'
    fi
done

echo "<result>$has_default_pass</result>"