jacksonvd / pwnedpasswordsdll Goto Github PK
View Code? Open in Web Editor NEWOpen source solution to check prospective AD passwords against previously breached passwords
Home Page: https://jacksonvd.com/
Open source solution to check prospective AD passwords against previously breached passwords
Home Page: https://jacksonvd.com/
Hello,
I have "implemented" the PwnedPasswordsDLL - every thing is running fine.
Now I like to renew the "breached password lists" - how is that done?
Thanks Meike
Is it possible for the dll to look at weather the users password must meet complexity requirements?
I thought I had read that this dll didn't apply if complexity was not required, but I've looked at so many recently I may be mixing them up.
I have a set of generic accounts that are used internally restricted to log on to only a few PCs. They have a fine grained password policy applied to allow simple passwords. I've found these simple passwords are on the pwned list.
One solution would be to edit the pwned passwords list, but I don't want regular users to use them.
Is it possible to only enforce pwned passwords if complexity is required?
Thanks
Glad to see someone created an LSA solution.
If this is intended for live usage, may I suggest:
I think the totalPasswords integer is calculated wrongly. Its currently calculated as
// Get total passwords by dividing by SHA length + 2 - 1
int totalPasswords = (bytes / 42) - 1;
Makes sense, hashes are formatted like this.
000000005AD76BD555C1D6D771DE417A4B87E4B4:4 (first hash in SHA1 V5 ordered by hash HIBP dataset)
So i'm guessing the "+2" are for the ':' and the x amount of times a password has been seen.
Herein lies the problem however, many hashes also have a 'x' > 9.
For example
00000000DD7F2A1C68A35673713783CA390C9E93:630 (third hash in SHA1 V5 ordered by hash HIBP dataset)
Over the many millions of passwords, this adds up quite quickly. According to the PwnedPasswordsDLL, there are 578 million passwords in the dataset, whilst there are only 551 million.
Im not sure yet what problems this could cause, but unlikely to be desirable.
Hello,
I downloaded the v3.0 release of the dll.
After I change a password, the user account cannot login always reporting an incorrect password.
If I attempt to change the password to a known pwned password if fails as it should.
I've tested on 2016 and 2012 r2 x64.
If I removed the entry from lsa notification packages and reboot. I can reset the password and the user account works again.
Thanks,
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.