JacksonVD / PwnedPasswordsDLL

Open source solution to check prospective AD passwords against previously breached passwords
https://jacksonvd.com/
82 stars 17 forks source link

feature request: complexity flag? #3

Open dlehman83 opened 5 years ago

dlehman83 commented 5 years ago

Is it possible for the dll to look at weather the users password must meet complexity requirements? I thought I had read that this dll didn't apply if complexity was not required, but I've looked at so many recently I may be mixing them up.

I have a set of generic accounts that are used internally restricted to log on to only a few PCs. They have a fine grained password policy applied to allow simple passwords. I've found these simple passwords are on the pwned list.
One solution would be to edit the pwned passwords list, but I don't want regular users to use them.
Is it possible to only enforce pwned passwords if complexity is required?

Thanks

JacksonVD commented 5 years ago

Hi again,

I thought it was the case that the passwords must meet complexity requirements setting had to be enabled, but it doesn't appear to actually make an impact. I'm not sure if this is possible - it's possible to look at whether or not password complexity is enforced via SAM (i.e. for the whole domain) by calling functions exported from the SAM DLL. However, this doesn't work for fine-grained password policies based on OUs.

It's possible to get the resultant password policy via PowerShell, but combining this with C++ might make password reset attempts quite slow. I'm also unsure if the DLL could run the required PowerShell command, as I think it needs to authenticate with a user account.

In any case, I'll do some more research, and will update you if I find anything.