Specops Breached Password Protection

Specops Password Policy (version 7.0 and later) is compatible with Specops Breached Password Protection. The Breached Password Protection list is a list of compromised and leaked passwords. If you are an administrator, you can prevent users from using passwords that are in this list. The list of over two billion compromised passwords is curated by Specops Software and is a combination of thousands of different sources of compromised passwords, including ones used in real attacks today or are on known breached password lists like HaveIBeenPwned, making it easy to comply with industry regulations such as NIST or NCSC. Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now.

You can configure Breached Password Protection with the following settings:

Breached Password Protection Complete:

  • Contains the master list of leaked passwords, stored in the cloud, so it is always up to date.
    NOTE
    This is not zero-day protection as the leaked password list will need to be added to the database in our recognized format.
  • If a user changes their password to one that is in the leaked list of passwords, Breached Password Protection Complete notifies the user by email or SMS. Their account is also flagged, forcing the user to change their password the next time they sign in.
  • Requires more infrastructure in Active Directory, includes installing the Specops Arbiter and downloading an API key. This requires an additional server, on which you install the Specops Arbiter, that will communicate with the Breached Password Protection Cloud API. Please note, you must run .Net 4.7.1 and Windows Server 2012 R2 or later.

Breached Password Protection Express:

  • Uses a subset of the list of leaked passwords that’s normally updated every 3-4 months.
  • The list is downloaded to Active Directory (will affect replication between Domain Controllers).
  • Administrators must manually check if there are updates to the list of leaked passwords, and then download the updated list.
  • Immediately stops a user from changing to a leaked password.
  • Continuously checks for compromised passwords.

Breached Password Protection checks explained

There are three main differences between Breached Password Protection Express and Breached Password Protection Complete:

  • The size of the database:Breached Password Protection Complete has a much larger set of compromised passwords.
  • The quality of the database:Breached Password Protection Complete is updated continuously, while Breached Password Protection Express is updated every 3 or 4 months.
  • The point at which the check is performed:
    • Breached Password Protection Express performs checks at password change, as well as continuous (eg. nightly) checks.
    • Breached Password Protection Complete performs its check immediately after password change.

Breached Password Protection Complete flow example

The following is an example of how the Breached Password Protection Complete check is performed.

  1. The user changes their password.
  2. If the new passsword complies with all other password policy rules, the new password is submitted (the user can use their new password).
  3. The password is checked against the Breached Password Protection Complete database.
  4. If the password is found to be compromised, the user's account is flagged, and they need to change their password at next logon.
  5. The password is not checked against the Breached Password Protection Complete database until the next password change.

Breached Password Protection Express flow example

The following is an example of how the Breached Password Protection Express check is performed.

  1. The user changes their password.
  2. The new password is checked against the Breached Password Protection Express database at password change.
  3. If the password is found to be compromised, the user will not be allowed to submit the change. If not, the new password is submitted.
  4. Breached Password Protection Express checks the password against the database continuously (e.g. nightly).
  5. If the password is found to be compromised in subsequent checks (provided the Breached Password Protection Express database has been updated in the meantime), the user's account will be flagged and they need to change their password at next logon.

Using Breached Password Protection Express together with Breached Password Protection Complete

Since Breached Password Protection Express and Breached Password Protection Complete perform their checks at different times, there are instances where it is beneficial to combine the two services. Consider, for example, the following scenario:

  1. The user changes to a new password that is present neither in the Breached Password Protection Express database, nor the Breached Password Protection Complete database, and is therefore permitted to change their password.
  2. In subsequent weeks/months, the new password is found to be compromised and is added to both Breached Password Protection Express and Breached Password Protection Complete.

If only Breached Password Protection Complete is used, the user's password will not be checked until the next password change. If, on the other hand, Breached Password Protection Express is also used, the user's account will be flagged, and will be forced to change their password at next logon.

Requirements

Component Requirements
Specops Password Policy Sentinel
  • Windows Server 2012 R2 or later
  • .Net Framework 4.7.1 or later
  • Writable domain controller
Specops Arbiter
  • .NET 4.7.1 or later
  • Windows Server 2012 R2 or later
Breached Password Protection Express Updates Disk space
Dictionaries for Specops Password Breached Password Protection Express are downloaded and stored in sysvol, replicated to every domain controller.
  • 13 GB free space in sysvol on each domain controller.
  • Temporary: Additional 13 GB on the admin computer where the dictionaries are downloaded.

Components

Specops Password Policy with Breached Password Protection consists of the following components.

Specops Password Policy Sentinel

The Specops Password Policy Sentinel is an installation package that must be installed on all writable domain controllers in a domain.

The Specops Sentinel consists of the Sentinel Password Filter, and the Sentinel Service.

Sentinel Password Filter

The Sentinel Password Filter is a Windows Password Filter that verifies whether a new password matches the Specops Password Policy settings assigned to the user.

When validation with Specops Breached Password Protection is configured, the Sentinel Password Filter writes a Breached Password Protection validation request file for each new password (password change/reset), as configured in the Specops Password Policy GPO settings.

Sentinel Service

The Sentinel Service (Windows Service) is a component of Specops Password Policy. The Sentinel Service is always installed as part of the Specops Password Policy Sentinel, but effective only if Breached Password Protection validation is configured.

The Sentinel Service takes the Breached Password Protection validation requests from the queue folder, and passes them to the Breached Password Protection Arbiter, which will determine whether the password is allowed or has been breached. Depending on the Specops Password Policy GPO settings, the Breached Password Protection Service may enforce User must change password at next logon for breached passwords.

The Sentinel Service runs as local system and, by default, is allowed to set User must change password at next logon on affected users.

Installation requirements: .NET 3.5 SP1 or later

Breached Password Protection Arbiter

The Breached Password Protection Arbiter is a component of Specops Password Policy, and should be installed on a server with an internet connection. A single Arbiter is sufficient for most organizations. If your organization requires redundancy, additional Arbiters are recommended.

The Breached Password Protection Arbiter acts as a gateway between the Breached Password Protection Service and the Specops Breached Password Protection Cloud API, where the list of leaked passwords is found. The Breached Password Protection Arbiter uses an API key to communicate with the Breached Password Protection Cloud API.

The Arbiter runs as network service and, by default, has read-only access to Active Directory. By reading the Specops Password Policy settings, the Arbiter can determine the actions required if a password hash is found in the Breached Password Protection list.

To use Breached Password Protection validation, at least one Arbiter must be installed in the domain. Organizations using Specops Password Policy without Breached Password Protection validation do not need to install the Arbiter.

Installation requirements: .NET 4.7.1 or later

NOTE
The Breached Password Protection Express settings do not require the Password Breached Password Protection Arbiter component.

Breached Password Protection Cloud API

The Breached Password Protection Cloud API, hosted by Specops in the cloud, is a component of Specops Password Policy.

The Breached Password Protection Cloud API hosts an extensive list of leaked passwords.

NOTE
The Breached Password Protection Express settings do not require the Breached Password Protection Arbiter component.

Configuring Breached Password Protection Complete (Complete API)

To configure Breached Password Protection Complete, you will need to:

  • Install Specops Password Policy Sentinel on all domain controllers. The same version must be installed on all domain controllers. [Instructions]
    NOTE
    Specops Password Policy customers running version 6.8.18106.1 or earlier will require a new license key.
  • Install one (or more) Arbiters in the domain(s) [Instructions]
  • Register the Arbiter(s) in Specops Password Policy Domain Administration tool, and add the API key you received from a Specops Product Specialist:
    1. From the Domain Administration tool, select Breached Password Protection, and click Register new Arbiter.
    2. Select, or type the name of your Arbiter computer, and click OK. The Arbiter computer is now added to the table containing all Specops Password Arbiters.
      NOTE
      You can also search for your Arbiter computer by clicking the Advanced button and then Find now.
    3. Click the Import API key button and paste the API key you received from Specops in the text field that comes up. Click OK. A green checkmark should appear in the API key column in the table.
      NOTE
      Paste only the actual API key in the text field, excluding any comments that may be present.
    4. Click Test cloud connection to test the connection.
      5. NOTE
      You will receive an error prompting you to enter a valid license key once installation is complete.

To enable Breached Password Protection validation using Breached Password Protection Complete for new passwords (password change/reset), you must configure Specops Password Policy GPOs for users to be affected.

  1. Open the Password Policy Domain Administration tool.
  2. Select the Password policies menu.
  3. Click the Breached Password Protection tab, then select the Complete API menu.
  4. In the Breached Password Protection Complete API section, select the Enable Breached Password Protection Complete (Complete API) checkbox.
  5. Specify when you want Breached Password Protection validation to take place. You can choose from the following options:
    • Enable Breach Protection when passwords are reset: A user’s password will be checked against the list of leaked passwords whenever they reset it.
    • Require that users with leaked passwords change them at next login: when a user's password is found to be leaked, their account will be flagged to require a password change the next time the user logs in.
      NOTE
      When the user's policy is set to "password never expires", and their password is found to be compromised, the password never expires flag will be cleared. The user will then be prompted to change their password at next log-in.
  6. Select the Send emails to users with breached passwords checkbox. In the Breached Password Protection Complete email notification section, you can configure an email notification that will be sent to a user if their newly chosen password is in the list of leaked passwords.

    For more information on email notifications, please visit the Notifications page.

  7. In the Breached Password Protection Complete text message notification section, you can configure a text message notification that will be sent to a user if their newly chosen password is in the list of leaked passwords.

    For more information on text message notifications, please visit the Notifications page.

  8. Click Apply.
  9. Click OK.

Configure Breached Password Protection Express (Express List)

If you are an administrator, you can download a list of leaked passwords and store them in your local environment. Whenever a user in your organization resets or changes their password, their newly chosen password will be checked against this list of leaked passwords. If the user’s chosen password is in the list of leaked passwords, they must choose a different one.

Breached Password Protection Express differs from Breached Password Protection Complete in the following ways:

  • Instant password validation: as the list of leaked passwords is stored locally, Breached Password Protection Express can immediately confirm if a user’s newly chosen password is acceptable or not. Users will get instant validation regardless of where they change their password, even if they have both versions of Breached Password Protection configured and enabled.
  • Notifications: you do not need to configure Breached Password Protection text message and email notifications for Breached Password Protection Express, because passwords are instantly validated.
  • Leaked password scanning: Breached Password Protection Express can scan the passwords of all users who are affected by the policy. The passwords will be compared with the downloaded Breached Password Protection Express list. Users with leaked passwords will be prompted to change their password at next logon.
  • Updates: the list of leaked passwords must be updated manually. If a new version of the list has been published, you must download it from the Password Policy Domain Administration tool.

Downloading the list of leaked passwords

You must download the list of leaked passwords to your local environment, so that your chosen Group Policy Object(s) can reference the list of leaked passwords.

NOTE
You only need to download the list once. Once downloaded, the list will be stored in SYSVOL. The list is downloaded and applies on a domain-wide level.

To download the Breached Password Protection list, follow these steps:

  1. Start the Password Policy Domain Administration tool.
  2. Navigate to the Breached Password Protection page.
  3. Click the Breached Password Protection Express (Express List) tab.
  4. If a new version of the list is available, click the Download latest version button.
  5. The Download Breached Password Protection window will open. During the download, the files are first downloaded to a temporary directory. By default, the current user’s “temp” directory is used to temporarily store the files before they are automatically transferred to a permanent location in SYSVOL. To select another temporary directory, click the Browse button.
  6. When the download has completed, the files are copied to the following location in SYSVOL: \\<yourdomain.com>\SYSVOL\<yourdomain>\Policies\SpecopsPassword\Dictionaries
  7. Click OK, and the files will start downloading. Depending on the size of the package, this may take some time.
  8. When the download has completed, you will see a message confirming that the list has successfully downloaded and is up to date. This message shows the version number of the package that has been downloaded, the date of the version’s publication, and the size of the package.

Enabling Breached Password Protection Express

Once you have downloaded the Breached Password Protection list, you must enable Breached Password Protection Express, so that it applies to the relevant Group Policy Objects.

To do this, follow these steps:

  1. Open the Password Policy Domain Administration tool.
  2. Access the policy you want to enable Breached Password Protection Express for (from the Password Policies menu)
  3. In the Specops Password Policy admin tool, click the Breached Password Protection tab, then select Express List.
  4. Select the Prevent users from changing to a leaked password checkbox.
    NOTE
    By default, all options will be checked. If you only select the Enable Breached Password Protection Express checkbox, all configuration options relating to Breached Password Protection Complete such as: Breached Password Protection Complete email notification, and Breached Password Protection Complete text message notification will be grayed out and disabled. This is because users will be warned of compromised passwords immediately while changing their passwords. No notifications are necessary when not performing daily scans.
    Additional settings:
    • Check for leaked passwords daily: passwords will be checked daily against the local breached password list.
    • Require that users with breached passwords change them: passwords will be expired if they are found to be breached during the daily breach check.
      NOTE
      When the user's policy is set to "password never expires", and their password is found to be compromised, the password never expires flag will be cleared. The user will then be prompted to change their password at next log-in.
  5. Click Apply.
  6. Click OK.

Updating Breached Password Protection Express

The list of leaked passwords will be updated at regular intervals. The update will then be published, so that it is available for download.

To check if a new version is available for download, follow these steps:

  1. Start the Password Policy Domain Admin tool.
  2. Navigate to the Breached Password Protection section.
  3. Click the Breached Password Protection Express (Express List) tab.

    If a new version of the list is available, you will see a notification saying: “There is an updated version of the list of leaked passwords ready for download”.

    You will also see a comparison between the current version you have stored locally and the online version that has been released.

  4. Click Download latest version and the changes will apply.

Configure both Breached Password Protection Complete and Breached Password Protection Express

You can configure and enable Breached Password Protection Complete and Breached Password Protection Express at the same time, by selecting the Enable Breached Password Protection Complete and Enable Breached Password Protection Express checkboxes. If you have enabled both, and your users change their password, Breached Password Protection Express will verify if the password is in the list of leaked passwords that has been downloaded. If the password is found in the Express list stored in your local environment, the Breached Password Protection Express rule will prevent the user from changing to that password. If it is not found in the list that is stored locally, the password will be checked against the list found in Breached Password Protection Complete. If it is found in the online list, the user’s account will be flagged with a “must change password” notification and they will be required to change to a different one.

Frequently Asked Questions

Are passwords sent externally with Specops Breached Password Protection?

No. The Sentinel Password Filter generates a bcrypt hash of the user’s new password. Neither the password nor the bcrypt hash is exposed. The first few bytes of the bcrypt hash are used to query a set of matching hashes. The Breached Password Protection match takes place on the domain controller, within the organization’s network.

What are the benefits of multiple Arbiters? How does the DC (handling the password change) select an Arbiter?

Having more than one Arbiter adds redundancy, in case an Arbiter is temporarily down. Additional Arbiters do not affect performance. The number of concurrent password changes, for an organization with many DCs, should not cause latency issues.

If there are multiple Arbiters, the Breached Password Protection Service will use round robin during selection.

How does the Breached Password Protection Cloud API handle mobile numbers and email addresses when sending SMS and email notifications to users?

Breached Password Protection Cloud API uses SendGrid for emails notifications, and Twilio for SMS notifications. Emails and SMS notifications requests from the Arbiter to the Breached Password Protection Cloud API are encrypted with TLS. The customer ID and message timestamp are stored in Graylog. Neither the password nor the hash is revealed in the user notification.

Are there advantages to using Breached Password Protection Complete in conjunction with Breached Password Protection Express?

Yes. Since checks are performed at different times, it is beneficial to run both. Please see also the Breached Password Protection checks explained section on this page.