lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
494 stars 52 forks source link

Problems with normalization #119

Closed Boeing737-8 closed 9 months ago

Boeing737-8 commented 9 months ago

Hi! We have a 2019 DC.

We added a banned word 'aA123456' to the list with add-bannedword and enabled the normalization for banned words in the group policy.

If we test test-isbannedword '@ A123456' we get false. If the @ is not used at the beginning of the word the normalization works as expected and returns true.

Also we try to use normalization in compromised passwords, but these fully not work (filter only compromised passwords).

ryannewington commented 9 months ago

Hi @Boeing737-8

When words are added to the banned word store, they are normalized first. So aA123456 will get saved as aa

You can see the normalization algorithm here which may help better understand what is going on. https://docs.lithnet.io/password-protection/advanced-help/normalization-rules

Leading symbols and numbers are stripped first, and only then are character substitutions performed. So your @ symbol in the second example is being stripped off, as well as the trailing numbers, leaving only a as the banned word being checked.

I hope that helps explain what is going on there.

stale[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.