Search for passwords accidentally typed into the username field
How many times have you accidentally put your password in the username field like this?
I’ll admit it, sometimes I accidentally put my password in the username field. UGGH! I always change my password when I do that, but I bet not everyone does!
I’m sure this has been done to plenty of times before but not by me so I thought I would write a quick PowerShell script to identify unique accounts and potentially a password if someone mistypes it into a username field like I do from time to time.
In order to see this in the security event log though, this Audit Logon policy (pictured below) must be set. You can get to this with and admin account running GPEdit.MSC.
It will probably be set at any corporation, but it is likely not set on a home machine.
Here is the powershell script, I’ll throw it on Git when time permits.
$AccountOrPossiblePassword = @()$Events = Get-WinEvent -LogName Security -FilterXPath "Event[System[EventID=4625]]"foreach ($Event in $Events){$startLocation = $Event.Message.IndexOf('Account For Which Logon Failed')if ($startLocation -ne $null -and $startLocation -gt 0){$check = $Event.Message.Substring($startLocation, ($Event.Message.Length - $startLocation)) -Split '\r\n' | Select-String "Account Name:"if ($check -ne $null -and $check -ne ''){$AccountOrPossiblePassword += $check}}}$uniqueValues = $AccountOrPossiblePassword | Select-Object -Uniqueforeach ($val in $uniqueValues){Write-Host $val}
Here it is running and finding the password I typed into the username field. It will also return usernames that failed but the only thing I’m really interested n here was the password. This has to run as an account with admin rights because it is searching the security log.
This is pretty simple but it gave me a chance to learn about querying the event log with Powershell.
Feel free to follow me on twitter: @_markmo_ (yes, with the underscores)
