Checking for Pwned Passwords in Active Directory
(Last updated on February 17, 2020)
If you are trying to fulfill a regulation requirement like that of NIST, you might find yourself tasked with attempting to set up your Active Directory environment to check for leaked passwords against an external blacklist. For many, Have I Been Pwned (HIBP) is the list they want to check against.
HIBP is one of the largest free collections of pwned passwords and accounts that can let you know if your email address or password has been leaked.
Some of the leaks in the HIBP list include:
- 772,904,991 Collection #1 accounts
- 763,117,241 Verifications.io accounts
- 711,477,622 Onliner Spambot accounts
- 622,161,052 Data Enrichment Exposure From PDL Customer accounts
- 593,427,119 Exploit.In accounts
- 457,962,538 Anti Public Combo List accounts
- 393,430,309 River City Media Spam List accounts
- 359,420,698 MySpace accounts
- 234,842,089 NetEase accounts
- 164,611,595 LinkedIn accounts
Troy Hunt, the man behind the collection, lists the current count of pwned passwords in HIBP as 555,278,657. (Our own Specops Password Policy Blacklist breached password list is currently about four times that at over 2 billion leaked passwords).
Easy enough to check if an individual email address has been breached:
or an individual password:
However, things get more complicated if you’re looking to check the credentials for your Active Directory users against this list.
For starters, doing this manually would take forever. Never mind that if you’re following good security practices, you shouldn’t have any personal knowledge of your users’ passwords to then individually search them.
So, if your heart is set on checking your AD against the HIBP list, you have two options: the API and downloading the lists.
Checking Active Directory Passwords Via the HIBP API
The HIBP API after some configuration could help you check your Active Directory against its list.
With a recent update to the HIBP list, Troy introduced the use of k-Anonymity, which means you no longer have to send the entire hash via the API. You can now search the database by range – using the beginning of an SHA1 hash, then using the API response to check whether the rest of the hash exists in the database.
JacksonVD wrote a detailed post on how to set this up with Active Directory.
A guide that got the approval of Troy Hunt himself:
But that doesn’t help with continuous protection; you’d have to re-run this with each new addition to HIBP as well as regularly to check any changed AD passwords against the existing list.
On top of that, security-wise, you might prefer to have an on-premise list you can check your AD credentials against rather than open your Domain Controllers up to (an even slight) compromise and subsequent infection risk.
Checking Active Directory Passwords Against an On-Prem HIBP Download
For those who prefer to not use the API, whether for security reasons or concerns over availability, HIBP does offer a download option of its list.
“The entire set of passwords is downloadable for free below with each password being represented as either a SHA-1 or an NTLM hash to protect the original value (some passwords contain personally identifiable information) followed by a count of how many times that password had been seen in the source data breaches.”
JacksonVD wrote another guide that covers the steps for comparing your AD against a local store of the HIBP list here.
While JacksonVD’s instructions can get you there, you still might not want to go that route due to lack of sign-off on such an approach or lack of desire to set that up technically. Even still, you might need something simpler from an auditing perspective.
A More Secure and More Comprehensive Leaked Password Check
With Specops Password Policy’s Blacklist, you not only get a more comprehensive list of leaked passwords (over 2 billion and counting), you get a more secure way to check your Active Directory user passwords against a NIST-compliant blacklist.
Specop’s Password Policy Blacklist comes in two versions: Blacklist Express and Blacklist Complete. Both check your users’ passwords against our leaked list during password change.
With Blacklist Express, your AD users’ passwords are checked during password change against a streamlined version of our complete list that’s available for on-prem use and notifies immediately if the password they’ve selected is compromised.
With Blacklist Complete, your AD users’ passwords are checked during password change against our complete list (over 2 billion and counting) that’s available in the cloud and notified via email if the password they’ve selected is compromised.
With both Express and Complete, your users get access to speedy password breach checks during password change as well as the comprehensive security check that comes with Blacklist Complete.
Looking for a password blacklist that’ll help you comply with regulations from organizations like NIST, but is also more comprehensive and easier to set up than HIBP? Contact us to see if Specops Password Policy and Blacklist are the right fit for your Active Directory security needs.
Use Specops Password Auditor (FREE) to Find Out How Many of Your Active Directory Accounts Are Compromised
Specops Password Auditor scans and checks passwords of the user accounts against our Blacklist Express list of compromised passwords. The Auditor also provides a full view of the administrator accounts in an organization’s domain, including stale/inactive admin accounts. From a single view, you can identify vulnerabilities that can assist you with your security plan.
Specops Password Auditor is a read-only program, and available for free download: https://specopssoft.com/product/specops-password-auditor/#tryfree