Specops Breached Password Protection

Specops Password Policy (version 7.0 and later) is compatible with Specops Breached Password Protection. The Breached Password Protection list is a list of compromised and leaked passwords. If you are an administrator, you can prevent users from using passwords that are in this list. It is also possible to check against the list continuously so that users can be alerted as soon as compromised passwords are added to the list (Continuous Scan).

The list of over three billion compromised passwords is curated by Specops Software and is a combination of thousands of different sources of compromised passwords, including ones used in real attacks today or are on known breached password lists like HaveIBeenPwned, making it easy to comply with industry regulations such as NIST or NCSC. Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now.

Breached Password Protection Complete:

  • Contains the master list of leaked passwords, stored in the cloud, so it is always up to date.
    NOTE
    This is not zero-day protection as the leaked password list will need to be added to the database in our recognized format.
  • If a user changes their password to one that is in the leaked list of passwords, Breached Password Protection Complete notifies the user by email or SMS. Their account is also flagged, forcing the user to change their password the next time they sign in.
  • If Continuous Scan is activated, users will be alerted of compromised passwords as soon as they are added to the list (if notifications are configured), or will be forced to change their password upon next logon.
  • Requires more infrastructure in Active Directory, includes installing the Specops Arbiter and downloading an API key. This requires an additional server, on which you install the Specops Arbiter, that will communicate with the Breached Password Protection Cloud API.

Breached Password Protection Express:

  • Uses a subset of the list of leaked passwords that’s normally updated every 3-4 months.
  • The list is downloaded to Active Directory (will affect replication between Domain Controllers).
  • Administrators must manually check if there are updates to the list of leaked passwords, and then download the updated list.
  • Immediately stops a user from changing to a leaked password.
  • Continuously checks for compromised passwords.

Breached Password Protection checks explained


There are three main differences between Breached Password Protection Express and Breached Password Protection Complete:

  • The size of the database: Breached Password Protection Complete has a much larger set of compromised passwords.
  • The contents of the database: Breached Password Protection Complete is updated continuously, while Breached Password Protection Express is updated every 3 or 4 months.
  • The point at which the check is performed:
    • Breached Password Protection Express performs checks at password change, as well as continuous (eg. nightly) checks.
    • Breached Password Protection Complete performs its check immediately after password change.

Breached Password Protection Complete flow example (Password Change)

The following is an example of how the Breached Password Protection Complete check is performed.

  1. The user changes their password.
  2. If the new passsword complies with all other password policy rules, the new password is submitted (the user can use their new password).
  3. The password is checked against the Breached Password Protection Complete database.
  4. If the password is found to be compromised, the user's account is flagged, and they need to change their password at next logon.
  5. The password is not checked against the Breached Password Protection Complete database until the next password change.

Breached Password Protection Express flow example

The following is an example of how the Breached Password Protection Express check is performed.

  1. The user changes their password.
  2. The new password is checked against the Breached Password Protection Express database at password change.
  3. If the password is found to be compromised, the user will not be allowed to submit the change. If not, the new password is submitted.
  4. Breached Password Protection Express checks the password against the database continuously (e.g. nightly).
  5. If the password is found to be compromised in subsequent checks (provided the Breached Password Protection Express database has been updated in the meantime), the user's account will be flagged and they need to change their password at next logon.

Breached Password Protection flow example (Continuous Scan)

The following is an example of how the Breached Password Protection check is performed for continuous scan.

  1. A continuous scan of the list is performed (either Breached Password Protection Express or Breached Password Protection Complete).
  2. The user's password is found to be compromised.
  3. The user is alerted via text or email (if so configured) and/or the user is forced to change their password at next logon (if so configured).

Using Breached Password Protection Express together with Breached Password Protection Complete

You can configure and enable Breached Password Protection Complete and Breached Password Protection Express at the same time, by selecting the Prevent passwords from the local Express list and Enable checking passwords via the Complete API checkboxes in the Password Change menu. The advantage of using both is that passwords are checked against the larger Complete database, while also providing direct feedback at password change if the new password is found in the Express list. When users change their password, Breached Password Protection Express will verify if the password is in the list of leaked passwords that has been downloaded. If the password is found in the Express list stored in your local environment, the Breached Password Protection Express rule will prevent the user from changing to that password. If it is not found in the list that is stored locally, the password will be checked against the list found in Breached Password Protection Complete upon submitting the new password. If it is found in the Complete list, the user’s account will be flagged with a “must change password” notification and they will be required to change their password at next login.

Requirements


Component Requirements
Specops Password Policy Sentinel
  • Windows Server 2012 R2 or later
  • .Net Framework 4.7.1 or later
  • Writable domain controller
Specops Arbiter
  • .NET 4.7.1 or later
  • Windows Server 2012 R2 or later
Breached Password Protection Express Updates Disk space
Dictionaries for Specops Password Breached Password Protection Express are downloaded and stored in sysvol, replicated to every domain controller.
  • 13 GB free space in sysvol on each domain controller.
  • Temporary: Additional 13 GB on the admin computer where the dictionaries are downloaded.

Components


Specops Password Policy with Breached Password Protection consists of the following components.

Specops Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

Sentinel Password Filter

The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.

When validation with Specops Breached Password Protection is configured, the Sentinel Password Filter writes a Breached Password Protection validation request file for each new password (password change/reset), as configured in the Specops Password Policy GPO settings.

Sentinel Service

The Sentinel Service (Windows Service) is a component of Specops Password Policy. The Sentinel Service is always installed as part of the Specops Password Policy Sentinel, but effective only if Breached Password Protection validation is configured.

The Sentinel Service takes the Breached Password Protection validation requests from the queue folder, and passes them to the Breached Password Protection Arbiter, which will determine whether the password is allowed or has been breached. Depending on the Specops Password Policy GPO settings, the Breached Password Protection Service may enforce User must change password at next logon for breached passwords.

The Sentinel Service runs as local system and, by default, is allowed to set User must change password at next logon on affected users.

Installation requirements: .NET 3.5 SP1 or later

Breached Password Protection Arbiter

The Breached Password Protection Arbiter is a component of Specops Password Policy, and should be installed on a server with an internet connection. A single Arbiter is sufficient for most organizations. If your organization requires redundancy, additional Arbiters are recommended.

The Breached Password Protection Arbiter acts as a gateway between the Breached Password Protection Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Breached Password Protection Arbiter uses an API key to communicate with the Breached Password Protection Cloud API.

The Arbiter runs as network service and, by default, has read-only access to Active Directory. By reading the Specops Password Policy settings, the Arbiter can determine the actions required if a password hash is found in the Breached Password Protection list.

To use Breached Password Protection validation, at least one Arbiter must be installed in the domain. Organizations using Specops Password Policy without Breached Password Protection validation do not need to install the Arbiter.

Installation requirements: .NET 4.7.1 or later

NOTE
The Breached Password Protection Express settings do not require the Password Breached Password Protection Arbiter component.

Breached Password Protection Cloud API

The Breached Password Protection Cloud API, hosted by Specops in the cloud, is a component of Specops Password Policy.

The Breached Password Protection Cloud API hosts an extensive list of leaked passwords.

NOTE
The Breached Password Protection Express settings do not require the Breached Password Protection Arbiter component.

Configuring Breached Password Protection Complete (Complete API)


To configure Breached Password Protection Complete, you will need to:

  • Install Specops Password Policy Sentinel on all domain controllers. The same version must be installed on all domain controllers. [Instructions]
    NOTE
    Specops Password Policy customers running version 6.8.18106.1 or earlier will require a new license key.
  • Install one (or more) Arbiters in the domain(s) [Instructions]
  • Register the Arbiter(s) in Specops Password Policy Domain Administration tool, and add the API key you received from a Specops Product Specialist:
    1. From the Domain Administration tool, select Breached Password Protection, and click Register new Arbiter.
    2. Select, or type the name of your Arbiter computer, and click OK. The Arbiter computer is now added to the table containing all Specops Password Arbiters.
      NOTE
      You can also search for your Arbiter computer by clicking the Advanced button and then Find now.
    3. Click the Import API key button and paste the API key you received from Specops in the text field that comes up. Click OK. A green checkmark should appear in the API key column in the table.
      NOTE
      Paste only the actual API key in the text field, excluding any comments that may be present.
    4. Click Test cloud connection to test the connection.
    5. NOTE
      You will receive an error prompting you to enter a valid license key once installation is complete.

To enable Breached Password Protection validation using Breached Password Protection Complete for new passwords (password change/reset), you must configure Specops Password Policy GPOs for users to be affected.

Configuring Breached Password Protection Complete for Password Change

  1. Open the Password Policy Domain Administration tool.
  2. Select the Password policies menu.
  3. Access the policy for the GPO you want to alter (Edit)
  4. Click the Breached Password Protection tab, then select the Password Change menu.
  5. Check the Enable checking passwords via the Complete API checkbox.
  6. [Optional] Check the Force users to change compromised passwords checkbox.
    NOTE
    This will flag the user's account to require a password change the next time they log in.
    NOTE
    When the user's policy is set to "password never expires", and their password is found to be compromised, the password never expires flag will be cleared. The user will then be prompted to change their password at next log-in.
  7. [Optional] Check the Check passwords when being reset in addition to change checkbox.
    NOTE
    If this option is disabled, the Breached Password Protection Complete function will not be used when passwords are reset, only when they are changed.
    NOTE
    If your users have access to a self-service password reset system, this option should be set.
  8. [Optional] Enable the email and/or text message notification options. For more information on notifications, please visit the Notifications page.
  9. Click Apply.
  10. Click OK.

Configuring Breached Password Protection Complete for Continuous Scanning

NOTE
In order to enable Continuous Scanning, existing customers require a new license file. Contact licensing@specopssoft.com for more information.
  1. Open the Password Policy Domain Administration tool.
  2. Select the Password policies menu.
  3. Access the policy for the GPO you want to alter (Edit)
  4. Click the Breached Password Protection tab, then select the Continuous menu.
  5. In the Check for compromised passwords continuously dropdown, choose Using the online Complete API.
  6. [Optional] Check the Force users to change compromised passwords checkbox
    NOTE
    This will flag the user's account to require a password change at next login.
  7. [Optional] Enable the email and/or text message notification options. For more information on notifications, please visit the Notifications page.
  8. Click Apply.
  9. Click OK.

Configuring Breached Password Protection Express (Express List)


If you are an administrator, you can download a list of leaked passwords and store them in your local environment. Whenever a user in your organization resets or changes their password, their newly chosen password will be checked against this list of leaked passwords. If the user’s chosen password is in the list of leaked passwords, they must choose a different one.

Breached Password Protection Express differs from Breached Password Protection Complete in the following ways:

  • Instant password validation: as the list of leaked passwords is stored locally, Breached Password Protection Express can immediately confirm if a user’s newly chosen password is acceptable or not. Users will get instant validation regardless of where they change their password, even if they have both versions of Breached Password Protection configured and enabled.
  • Notifications: you do not need to configure Breached Password Protection text message and email notifications for Breached Password Protection Express, because passwords are instantly validated.
  • Leaked password scanning: Breached Password Protection Express can scan the passwords of all users who are affected by the policy. The passwords will be compared with the downloaded Breached Password Protection Express list. Users with leaked passwords will be prompted to change their password at next logon.
  • Updates: the list of leaked passwords must be updated manually. If a new version of the list has been published, you must download it from the Password Policy Domain Administration tool.

Downloading the list of leaked passwords

You must download the list of leaked passwords to your local environment, so that your chosen Group Policy Object(s) can reference the list of leaked passwords.

NOTE
You only need to download the list once. Once downloaded, the list will be stored in SYSVOL. The list is downloaded and applies on a domain-wide level.

To download the Breached Password Protection list, follow these steps:

  1. Start the Password Policy Domain Administration tool.
  2. Navigate to the Breached Password Protection page.
  3. Click the Breached Password Protection Express (Express List) tab.
  4. If a new version of the list is available, click the Download latest version button.
  5. The Download Breached Password Protection window will open. During the download, the files are first downloaded to a temporary directory. By default, the current user’s “temp” directory is used to temporarily store the files before they are automatically transferred to a permanent location in SYSVOL. To select another temporary directory, click the Browse button.
  6. When the download has completed, the files are copied to the following location in SYSVOL: \\<yourdomain.com>\SYSVOL\<yourdomain>\Policies\SpecopsPassword\Dictionaries
  7. Click OK, and the files will start downloading. Depending on the size of the package, this may take some time.
  8. When the download has completed, you will see a message confirming that the list has successfully downloaded and is up to date. This message shows the version number of the package that has been downloaded, the date of the version’s publication, and the size of the package.

If the download succeeds, there is normally no need to perform a validation of the downloaded files. If, however, it is desirable within the organization to validate the integrity of the downloaded files, the Get-PasswordPolicyBppExpressList cmdlet can be used. It will do a checksum validation of all files in sysvol and compare them to the metadata file containing expected checksums of the download. See the powershell cmdlets page for more information.

Enabling Breached Password Protection Express

Once you have downloaded the Breached Password Protection list, you must enable Breached Password Protection Express, so that it applies to the relevant Group Policy Objects.

To do this, follow these steps:

  1. Open the Password Policy Domain Administration tool.
  2. Select the Password policies menu.
  3. Access the policy for the GPO you want to alter (Edit)
  4. Click the Breached Password Protection tab, then select the Password Change menu.
  5. Check the Prevent passwords from the local Express list.
  6. NOTE
    Notifications are not available for Breached Password Protection Express at Password Change since users will get immediate feedback when the password they are trying to change to has been compromised.
  7. Click Apply.
  8. Click OK.

Configuring Breached Password Protection Express for Continuous Scanning

  1. Open the Password Policy Domain Administration tool.
  2. Select the Password policies menu.
  3. Access the policy for the GPO you want to alter (Edit)
  4. Click the Breached Password Protection tab, then select the Continuous menu.
  5. In the Check for compromised passwords continuously dropdown, choose Using the local Express list.
  6. [Optional] Check the Force users to change compromised passwords checkbox
    NOTE
    This will flag the user's account to require a password change at next login.
  7. [Optional] Enable the email notification options. For more information on notifications, please visit the Notifications page.
    NOTE
    Text message notifications are not available for Breached Password Protection Express.
  8. Click Apply.
  9. Click OK.

Updating Breached Password Protection Express

The list of leaked passwords will be updated at regular intervals. The update will then be published, so that it is available for download.

To check if a new version is available for download, follow these steps:

  1. Start the Password Policy Domain Admin tool.
  2. Navigate to the Breached Password Protection section.
  3. Click the Breached Password Protection Express (Express List) tab.

    If a new version of the list is available, you will see a notification saying: “There is an updated version of the list of leaked passwords ready for download”.

    You will also see a comparison between the current version you have stored locally and the online version that has been released.

  4. Click Download latest version and the changes will apply.

Configuring both Breached Password Protection Complete and Breached Password Protection Express

You can configure and enable Breached Password Protection Complete and Breached Password Protection Express at the same time, by selecting the Enable Breached Password Protection Complete and Enable Breached Password Protection Express checkboxes. If you have enabled both, and your users change their password, Breached Password Protection Express will verify if the password is in the list of leaked passwords that has been downloaded. If the password is found in the Express list stored in your local environment, the Breached Password Protection Express rule will prevent the user from changing to that password. If it is not found in the list that is stored locally, the password will be checked against the list found in Breached Password Protection Complete. If it is found in the online list, the user’s account will be flagged with a “must change password” notification and they will be required to change to a different one.

Frequently Asked Questions


Are passwords sent externally with Specops Breached Password Protection?

No. The Sentinel Password Filter generates a bcrypt hash of the user’s new password. Neither the password nor the bcrypt hash is exposed. The first few bytes of the bcrypt hash are used to query a set of matching hashes. The Breached Password Protection match takes place within the organization’s network.

What are the benefits of multiple Arbiters? How does the DC (handling the password change) select an Arbiter?

Having more than one Arbiter adds redundancy, in case an Arbiter is temporarily down. Additional Arbiters do not affect performance. The number of concurrent password changes, for an organization with many DCs, should not cause latency issues.

If there are multiple Arbiters, the Breached Password Protection Service will use round robin during selection.

How does the Breached Password Protection Cloud API handle mobile numbers and email addresses when sending SMS and email notifications to users?

Breached Password Protection Cloud API uses SendGrid for emails notifications, and Twilio for SMS notifications. Emails and SMS notifications requests from the Arbiter to the Breached Password Protection Cloud API are encrypted with TLS. The customer ID and message timestamp are stored in Graylog. Neither the password nor the hash is revealed in the user notification.

Are there advantages to using Breached Password Protection Complete in conjunction with Breached Password Protection Express?

Yes. Since checks are performed at different times, it is beneficial to run both. Please see also the Breached Password Protection checks explained section on this page.