IMPORTANT: The Login Password Strength utility cannot decrypt existing passwords; it can only compare encrypted passwords against a list of encrypted known weak passwords. The methods used are well-known, and well documented on the internet. What's more, the system is smart enough to send an alert that only identifies accounts with weak passwords, and not the passwords themselves.
Tables:
- Collector.Logins – Holds login data from all the servers.
- dbo.PasswordDictionary – Holds the passwords to compare against existing login password hash. This is a list of what you consider weak passwords, that you don’t want any of your logins to have. The existing password hashes are compared to this list to alert you to known weak passwords. By default, Minion Enterprise supplies over 100,000 weak passwords; we encourage you to add your own entries to dbo.PasswordDictionary, as you see fit.
- dbo.WeakPasswordExceptions – This table allows you to define logins for which no weak password alerts should be sent.
- History.WeakSQLPasswords - A log of found (and alerted-on) weak passwords for SQL logins.
- SQLLoginsGet.exe – Collects the login information from each server.
- Alert.LoginPasswordStrength – Performs the comparison against stored hashes to test for weak login passwords. For important notes on this table, see the “Alert.LoginPasswordStrength” section later in this document. Note that the alert email does not contain the list of logins and passwords; ME does not send passwords via clear text. Instead, the alert email provides the query to retrieve the list of logins with weak passwords from the database.
- AlertWeakSQLPasswords – Runs the [Alert].[WeakSQLPasswords] stored procedure.