jacksonvd / pwnedpasswordsdll Goto Github PK

Hello,

I have "implemented" the PwnedPasswordsDLL - every thing is running fine.
Now I like to renew the "breached password lists" - how is that done?

• Is the file permanently opened by the DLL
• can I only overwrite the the file with breached password lists?
• what will happen during (the time of) overwrite (may take time -> 24GByte)
• do I need reboot the server?
  Can you document the steps for replacing the password list as well?

Thanks Meike

Is it possible for the dll to look at weather the users password must meet complexity requirements?
I thought I had read that this dll didn't apply if complexity was not required, but I've looked at so many recently I may be mixing them up.

I have a set of generic accounts that are used internally restricted to log on to only a few PCs. They have a fine grained password policy applied to allow simple passwords. I've found these simple passwords are on the pwned list.
One solution would be to edit the pwned passwords list, but I don't want regular users to use them.
Is it possible to only enforce pwned passwords if complexity is required?

Thanks

Glad to see someone created an LSA solution.
If this is intended for live usage, may I suggest:

1. make URL configurable & document it so users know they should use an internal/offline checking service
2. use the hashes (SHA-1s are provided) instead of plaintext passwords

I think the totalPasswords integer is calculated wrongly. Its currently calculated as

// Get total passwords by dividing by SHA length + 2 - 1
int totalPasswords = (bytes / 42) - 1;

Makes sense, hashes are formatted like this.
000000005AD76BD555C1D6D771DE417A4B87E4B4:4 (first hash in SHA1 V5 ordered by hash HIBP dataset)

So i'm guessing the "+2" are for the ':' and the x amount of times a password has been seen.
Herein lies the problem however, many hashes also have a 'x' > 9.

For example
00000000DD7F2A1C68A35673713783CA390C9E93:630 (third hash in SHA1 V5 ordered by hash HIBP dataset)

Over the many millions of passwords, this adds up quite quickly. According to the PwnedPasswordsDLL, there are 578 million passwords in the dataset, whilst there are only 551 million.

Im not sure yet what problems this could cause, but unlikely to be desirable.

Hello,
I downloaded the v3.0 release of the dll.
After I change a password, the user account cannot login always reporting an incorrect password.
If I attempt to change the password to a known pwned password if fails as it should.

I've tested on 2016 and 2012 r2 x64.
If I removed the entry from lsa notification packages and reboot. I can reset the password and the user account works again.

Thanks,