Check current/last logged in user password

@accm .. Maybe this will help you. Kinda put you on the track you're going for.. you can get a last time password was set from that discussion script...

@JustDeWon Thank you!

This helps somewhat - however, I'm looking for a specific string within the user's password.

An example would be if we set all new user's local password to "newuser123", how can I write an EA to find all computers with local users that have "newuser123" as their password?

Your best bet might be to use a response script to try and use SU into the users shell and then write a file that your EA checks.

[Edit]: Just a rough idea, but you might be able to use the first script to call the second and then test on the file ownership.

#!/bin/bash
username=""
password=""
testPath="/Library/Company"
testFile="$testPath/.passwdtst"
expectFile="/path/to/file.sh"

mkdir -p "$testPath"
touch "$testFile"


sh "$expectFile" "$username" "$password" "$testFile"

#!/usr/bin/expect -f
set username [lindex $argv 0];
set password [lindex $argv 1];
set testfile [lindex $argv 2];

spawn su "$username"
expect {
    "Password:" {
        send "$password
"
        spawn chown "$username" "$testfile"
        send "exit
"
        interact
    }
}

If they are local accounts, the users passwords will be stored locally as hashes.
I think if you create a log in as a user, set a password of "newuser123", and use

sudo defaults read /var/db/dslocal/nodes/Default/users/${USER}.plist

(stolen from here https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored?rq=1is for that user)

You may be able to identify users with an identical hash by recursively reading the password hash for all users and comparing it to your known hash.

It might be more difficult than that, but if that is the answer then the right formatted dscl command would give you a list of users to test and a suitable while do done loop could work on that list to do the comparison and output a list of accounts whose hash matches.

Not got time to play with this today, just a few thoughts, however someone might come along and either say that this wouldn't work as my knowledge of local accounts and password encryption may be lacking. Alternatively someone else might go, "Yep, that would work, here is the script" :)

You could then use a similar command to scan through the local users password hashes and look for matches

@SimonCU I'm not sure the hashes would be the same as they should each require a randomize salt at the passwords setting, so that even if two accounts had the same password they should have two totally different hashes.

@andrew.nicholas, possibly not - been a long while since I had to hack around with local passwords :), but the commentary on the article below is interesting regarding salting , (if it still works, or indeed worked in the first place...), quite a long heavy article 'though and probably a lot of work to turn it into an EA which could get broken by the next Apple release :(

https://apple.stackexchange.com/questions/220729/what-type-of-hash-are-a-macs-password-stored-in/220863

Understood @accm ... Take a look here.. This could possibly help you with your string

This is what we attempted, but I think that we're getting stuck with the user variable.

#!/bin/sh
User="$3"
BadPassword="newuser123"
checkpass=`dscl /Local/Default authonly $User $BadPassword; echo $?`
if [ "$checkpass" -eq 0 ]; then
    echo "$User never changed their password!"
fi

why not just run a script for current users, who's never changed their password to force a password change. Then implement a policy for new users to change their password upon login.

That may be the easiest route to take on this.

We were able to solve using:

#!/bin/sh
has_default_pass='NO'
default_pass="newuser123"

# interate through all local user accounts and compare password
for user in `dscl . list /Users | grep -v ^_.*`; do
    checkpass=`dscl /Local/Default authonly $user $default_pass; echo $?`
    if [ $checkpass -eq 0 ]; then
        has_default_pass='YES'
    fi
done

echo "<result>$has_default_pass</result>"