Summary: <p>Today's episode is a follow-up to <a href="https://7ms.us/7ms-304-integrating-pwned-passwords-with-active-directory/" rel="nofollow noreferrer noopener" target="_blank">#304</a> where we talked about how you can integrate over 500 million weak/breached/leaked passwords form Troy Hunt's <a href="https://www.troyhunt.com/pwned-passwords-v3-is-now-live/" rel="nofollow noreferrer noopener" target="_blank">Pwned Passwords</a> into your <a href="https://jacksonvd.com/checking-for-breached-passwords-in-active-directory/" rel="nofollow noreferrer noopener" target="_blank">Active Directory</a>. </p> <p>To get started with this in your environment, grab Troy's updated passwords list <a href="https://haveibeenpwned.com/passwords" rel="nofollow noreferrer noopener" target="_blank">here</a>, and then you can check out my <a href="http://bpatty.rocks/#!blue_team/pwnedpasswords.md" rel="nofollow noreferrer noopener" target="_blank">BPATTY site</a> for step-by-step implementation instructions.</p> <p>The big "gotchas" I discuss in today's episode are:</p> <ul> <li> <p>If users update their password to something on the Pwned Passwords list, they'll see the generic "Your password didn't meet policy requirements" message. In other words, the message they'll see is no different than when they pick a password that doesn't meet the default domain policy. So be careful! I'd recommend training the users ahead of pulling the trigger on Pwned Passwords.</p> </li> <li> <p>If you want to take, for example, just the top 100 words off of Troy's list and start your implementation off with a small list with: </p> </li> </ul><pre><code>Get-Content ".\pwnedpasswords.txt" | select -First 100</code></pre> <ul> <li>As it relates to "hard coding" a machine to point to a specific domain controller, <a href="https://www.technipages.com/windows-how-to-switch-domain-controller" rel="nofollow noreferrer noopener" target="_blank">this site</a> has the technique I used. Is there a better way?</li> </ul>
