Bad passwords can be costly. Recently, I had to spend several hours cleaning up a server due to poor end-user passwords used for email accounts. Spammers guessed these passwords and starting flooding the system with email. As soon as one account was fixed, they hit another. So I needed a quick way to find bad passwords. While not exhaustive, this little trick can save you a lot of time.
To get a list of bad passwords, I turned to the popular Top 500 Worst Passwords of All Time list. This list is rather old and certainly not exhaustive, but bad passwords live long and rarely die, so it is a good place to start.
Email user passwords are stored in the accounts table in Plesk. Typically they are stored as plain text which makes it easy to search for bad user passwords. The Plesk database (psa) can be overwhelming but Major Hayden of MySQLTuner fame has put together a nice reference site: PleskHacker.
Find Bad Passwords
By querying the Plesk database against the bad password list we can easily find all of the email user accounts that have bad passwords. I’m sure there are better MySQL queries but this one does the job. You must first login to your MySQL database:
mysql -Dpsa -uadmin -p`cat /etc/psa/.psa.shadow`
Then run the query to find bad email passwords.
select mail_name,name,password from accounts,mail,domains where mail.account_id=accounts.id and mail.dom_id = domains.id and password IN ("password list");
This will return a list of mail name, domain and their password. You can dump this out to a CSV file for further processing.
Here’s a text file with the full MySQL query you can use to run on your server.
What to Do?
Now you have your list, you can work with your clients to change their bad passwords.
You can force them to use good ones by checking the box: “Check the passwords for mailboxes in the dictionary” in Plesk under the mail server settings.
If any MySQL gurus have a better way to run the query, let me know. Ideally, I would like to simply put my bad password list into a file and then run a query against it. This should be easy enough to script up, I just do not have the time.
Other Bad Passwords
Also, I’ve seen some hosts use the domain name as the password. Or the domain name plus “abc” or “123” or some similar scheme. This is not clever. Attackers know these tricks and once they get a hold of a system with bad passwords, they will often continue to scan until they find other accounts.