Preventing Users from Using Breached Passwords in Active Directory
Posted by Minega15@reddit | sysadmin | View on Reddit | 43 comments
Hi everyone,
At work, I'm trying to find a way to prevent users from setting passwords that have been previously breached. One approach I'm considering is configuring the Active Directory controller to reference a file containing a list of known compromised passwords, which could be updated over time.
Is this possible? If so, what would be the best way to implement it? Or is there a more effective solution that you’d recommend?
Thanks in advance for any insights!
dchit2@reddit
Easiest task ever, this man has done all the hard work for you, it'll cost you $0 upfront and maybe an hour to implement.
AD Password Protection — Lithnet
Add your own script to check even logs to quickly find the reason someone's passwords change attempts were rejected.
AffixedSamurai21@reddit
How does this work for large organizations? If a password has been changed can you filter it to automatically add the old password to the list?
dchit2@reddit
I don't get your question sorry. Primary function is: on password change, new password is checked against a local copy of haveibeenpwned list, and optional custom banned word list. Additionally provides powershell to check if a users current AD password hash is in the haveibeenpwned list.
irrision@reddit
Yep, was just trying to remember the name of this. Definitely a low price option and it's easy to install.
Forumschlampe@reddit
Of course i recommend the reworked solution of openpassworrfilter from myself
https://github.com/ForumSchlampe/OpenPasswordFilter
U can usw ist offline,online,own lists, regex Filters, some ad Attribute filtering of the User.
Still honor to bockrob
isanass@reddit
Dude, you wrote that!? That's awesome and I implemented that when I started at an manufacturing company that had terrible password policies and major cash constraints. Not only did users willingly give me their password to troubleshoot an issue, when I saw it, it was almost always passwordsomething, companyname, or sitenameabldddy.
There were A LOT of grumpy people after setting this up, but the risk of compromise once we migrated to M365 and prior to Duo/MFA rollout was just too high.
I will say, though, I was cursing the software when I migrated DCs and needed to dump this back onto the new one. Oh, and the Sophos SOC for MDR/MTR immediately responded and called me to confirm it was legit, but at least they called before locking down a DC! If I hadn't answered, though, I couldn't blame them if they did.
Forumschlampe@reddit
slow slow slow
we took bockrobs work/ideas and refactored his code heavily and improved it with some features, implemented proper logging, implemented config files and stuff.
And this work wasnt a one man show
Citizen493@reddit
+1 for Lithnet Password Protection
HuthS0lo@reddit
Maybe this will help. I wrote it the other day. I found a dump with millions of passwords, and used it to populate a sqlite database.
https://pastebin.com/H3Qwr8dY
Forumschlampe@reddit
Just usw have i been pwned Database?
HuthS0lo@reddit
This is just to search email addresses. And the api has a cost to it. Wouldn’t even help for this purpose.
But now I’m thinking maybe I should stand up a public api for this function.
Forumschlampe@reddit
What?
API is free of charge If u check single hashes and of course it is to check passwords, not only accounts
Database Download with hashes u can compare with ur hashes is free of charge, take it , compare every Account or compare while Password Set/change
HuthS0lo@reddit
Great idea man. I didn’t even think about that. And they have an api. So that’s pretty bad ass.
LtLawl@reddit
https://specopssoft.com/product/specops-password-policy/
AUSSIExELITE@reddit
+1 for Specops. Has worked well for us for years now. Does exactly what it says in the tin and support has been pretty good the one or two times I’ve needed it.
rtslol@reddit
This doesn’t seem to work in environments without AD.
leogjj2020@reddit
Specops is good and do password cracking with hashcat
ZAFJB@reddit
Lithnet is brilliant.
All AD password filters have the same issue in that they cannot tell you why your chosen password is not acceptable. That is because AD can only return OK or not OK.
Tho solution is to document what your filter requies, and make the documentation eaily accessible by users, and user edication.
binaryhextechdude@reddit
A certain percentage of end users already struggle to create a valid password that meets the length and complexity requirements. If you further restrict what is permissible especially when it can’t be easily explained and understood it’s going to create issues for users and for Service Desk trying to support them
orion3311@reddit
If you have certain AzureAD/Entra licensing (P1 I think?) you can use its password filtering capabilities with AD. Look up Entra password protection for AD.
Minega15@reddit (OP)
Thank you, I will look into this
rustla@reddit
Pentester here, if you’re going to set this up it’s well worth adding custom passwords to the filter. It’s done in the same page in Entra ID. Add keywords used in your org, local sporting teams etc.
stesha83@reddit
This is the way, I work in a certain industry so I had chatgpt generate me a list of hundreds of industry terms. Very useful
MrTrism@reddit
This guy pens!
KripaaK@reddit
Hey! I work at Securden, where we build an enterprise password management solution, so I’ve come across this kind of challenge quite a bit.
While our product doesn't directly integrate into AD to block breached passwords at the time of password creation, it helps organizations enforce strong password hygiene in other critical areas — especially for privileged and shared accounts.
With Securden, you can:
It’s especially useful for managing admin and shared credentials securely — so even if end users set weak passwords in AD, you still have tight control over access to your critical infrastructure.
Might be worth looking into as a complementary layer if you’re focusing on overall access security. https://www.securden.com/password-manager/index.html
NETSPLlT@reddit
Active Directory controller to reference a file containing a list of known compromised passwords
Am I hallucinating, or has this not always been a feature? I don't recall the specific location to set it, but there is a word list in AD used to reject passwords containing any of them. I'm surprised no one has mentioned it.
Personally, I'd probably powershell a rest call to hipb and update it. But as others here have mentioned, there are plenty of 3rd party solutions. Good luck!
Forumschlampe@reddit
Hallucinating, passfilt.dll is the solutions u need to Develop/implement
narcissisadmin@reddit
I wouldn't be overly concerned with doing this, especially if you have MFA in place.
Forumschlampe@reddit
Mfa was not only bypassed onced
Competitive_Run_3920@reddit
ManageEngine Password Policy Enforcer can do this as well (I think this product used to be Netwrix). If you’re not full in to the azure ecosystem this is a nice option because it does a lot of the lifting on prem so your password hashes aren’t shipped to a cloud service to be evaluated.
thernlund@reddit
Password Policy Enforcer was an Anixis product, later acquired by Netwrix.
carpetflyer@reddit
Enzoic is another to look at.
faulkkev@reddit
Their are products that will read hashes in AD and cross reference them with know breached passwords or shared on know hacking exchanges. Then you can know who has compromised passwords beyond intra as mentioned.
AardvarkSlumber@reddit
https://ltb-project.org/documentation/self-service-password.html
badlybane@reddit
No way to do this that I know if as passwords are hashed you need to hash the password list and compare hashes.
_SleezyPMartini_@reddit
SpecOps
syslurk@reddit
Crowdstrike Identity protection has this capability.
KStieers@reddit
NFront and Netwrix(used to be Anixis) both have products that can reference the HIBP db and custom dictionairies as well as other typical things like patterns and sequences (1234 or qwerty)
"AD password filter" is your google search.
There's a freebie out there that just does HIBP.
You an also get auditing tools check after the fact, KnowBe4 has a free one.
ccosby@reddit
I haven't used their solution for compromised passwords but spec ops soft has a product. I've used their product for password policies to use pass phrases before and it works as expected and wasn't expensive.
Professional_Ice_3@reddit
Respectfully, please 🙏 give up immediately and don't make things harder for the executives and the boomers that constantly need help from the service desk because no matter what they put, their new password isn't accepted.
Also, Microsoft self-service password reset service does this already if they have seen a password too many times before.
Minega15@reddit (OP)
Thank you
techvet83@reddit
As the poster below noted, you want Microsoft Entra Password Protection - Microsoft Entra ID | Microsoft Learn. Technically, when the software is installed, "Azure AD Password Protection" will be in the name but Azure AD=Entra, of course.
Minega15@reddit (OP)
Thank you sir. I will look into this