Authenticating to SMB appliances using only the first 8 characters of the Administrator password is allowed
Administrator passwords which were created or changed while using R77.20.85 and later versions (mentioned earlier) are enforced with a weaker password hash algorithm than previous versions.
To upgrade password hash complexity, refer to the solution of this sk.
This problem was fixed. The fix is included in:
Check Point recommends to always upgrade to the most recent version (Check Point 700 appliance / Check Point 910 appliance / Check Point 1400 appliance).
Once upgrading, the configured passwords still remain with the weaker hash algorithm.
Therefore, it is required to change all the Administrators's passwords or re-create the Administrator users.
The following script can be executed in Expert mode in order to detect Administrator users with the weaker password hash:
while read p; do
user="$(echo $p | cut -d ":" -f 1)"
user_hash="$(echo $p | cut -d ":" -f 2)"
if [[ $user_hash == *"*"* || $user_hash == *"!"* || $user_hash == *"$"* ]]; then
done < /etc/shadow
How to use the script:
- Copy the script to a notepad file and name it as you like, in our example it would be "admin_check".
- Change the extension of the notepad file to .sh
- Copy the admin_check.sh file to /storage directory.
- Go to /storage directory, by executing the command "cd /storage" in Expert mode.
- Give the script execute privileges, by executing the command "chmod 700 admin_check.sh" in Expert mode.
- Convert the file to UNIX format, by executing the command "dos2unix admin_check.sh" in Expert mode.
- Run the script, by executing the command "admin_check.sh"
- The affected users will be printed to the screen.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.