7MS #304: Integrating Pwned Passwords with Active Directory

Below are show notes for an episode of the 7 Minute Security podcast, a weekly podcast I publish that focuses on topics such as penetration testing, network configuration, blue-teaming and career advice. I welcome you to subscribe in your favorite podcast app so you don't miss an episode!

Intro

I've been super pumped about Troy Hunt's Pwned Passwords project ever since it came out - especially when I saw a tweet about using it in Active Directory so that enterprises could essentially stop people from picking previously pwned passwords! That led me to explore the following two solutions:

Pwned Passwords DLL

This blog entry has everything you need to get started with this GitHub project. If you've got some coding skillz you can probably give everything a quick read and have the DLL installed and running in no time. If you're like me and have little to zero Visual Studio experience, head to my BPATTY site page about Pwned Passwords where I've laid everything out step-by-step!

Bottom line is this is a FREE way to check AD passwords against Troy's list of 500M+ previously pwned passwords. Awesome dude!

SafePass.me

I gave this commercial solution a demo and it worked fine as well. It's about $700 USD and comes packaged in an .MSI file that you simply double-click to install, then reboot the domain controller(s). It looks to do the exact same thing as Pwned Passwords DLL but without having to build a DLL or install it manually.

Audio