This post is more like a rant then a post but it is what it is.
In everyday work and life I keep finding people that think that policies are good to have but not so good to follow up and I’m really struggling to comprehend that kind of thinking, especially when it’s about security. I don’t get it why is it so hard to realize one simple fact, you don’t compromise with security.
Few weeks ago, Troy Hunt has released password hash dumps from haveibeenpwned.com site. Dumps are large, splitted to 3 parts and contains 324+ millions of hashes. In this blog post I will show you how to integrate that large hash dump with Microsoft Active Directory and enable DC servers to check against that list before allowing user to change their password.
Microsoft has one feature that has been present since Windows server 2003 and it’s called password filters. It’s not often used as it’s meant to be used as an additional method for adding more complexity to password requirements in larger organisations. The smaller organisations and companies are sticking with the rules that are already present in Windows (both server and workstations), which are:
- enforce password history
- minimum password age
- maximum password age
- minimum password length
- password must meet complexity requirements
- store passwords using reverse encryption
There are some commercial solutions that can add more complex requirements to this list, but price tag is quite high. As soon as you see “contact us for price” you can count with that.