I want to share my experience about a product called safepass.me
Some months ago I was searching a product which prohibits users to use “unsafe” passwords when changing their password. In simple words: “a password filter”
I found some self-made solutions which could be adopted, but they rely on a huge database, additional infrastructure or others require a direct connection to the internet (see Links).
As the solution must run on every Domain Controller the non-commercial solutions, the ones using additional infrastructure and the products require an internet connection did not made the race.
Finally, I found safepass.me, which uses a special technology to keep the amount of data (denied passwords list) small and no data is sent to the Internet. The “denied password list” is stored locally on every “Domain Controller”.
Unsafe passwords are passwords which can be cracked easily because of its lenghts and complexity or they are just known passwords.
At first glance, the following passwords look quite safe. They are complex, have at least 8 characters, so they should be safe. But… no, they aren’t!
Check passwords above or your own password on Have I been Pwed to see how safe it is:
How safepass.me works
When a user changes his password, the safepass.me application on each Domain Controller checks the new password against known passwords in the local database and blocks all compromised passwords. The local database is an improved (reduced size) version of HaveIBeenPwned.
- Download the current version from http://safepass.me/download
- Install the application on every Domain Controller.
- Save license file on each Domain Controller under C:\Windows\System32\safepassme\safepassme.lic