7MS #325: Integrating Pwned Passwords with Active Directory - Part 2
Today's episode is a follow-up to #304 where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's Pwned Passwords into your Active Directory.
To get started with this in your environment, grab Troy's updated passwords list here, and then you can check out my BPATTY site for step-by-step implementation instructions.
The big "gotchas" I discuss in today's episode are:
-
If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.
-
If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with:
Get-Content ".\pwnedpasswords.txt" | select -First 100
- As it relates to "hard coding" a machine to point to a specific domain controller, this site has the technique I used. Is there a better way?