Active Directory password filter

I want to share my experience about a product called

Some months ago I was searching a product which prohibits users to use “unsafe” passwords when changing their password. In simple words: “a password filter”

I found some self-made solutions which could be adopted, but they rely on a huge database, additional infrastructure or others require a direct connection to the internet (see Links).
As the solution must run on every Domain Controller the non-commercial solutions, the ones using additional infrastructure and the products require an internet connection did not made the race.

Finally, I found, which uses a special technology to keep the amount of data (denied passwords list) small and no data is sent to the Internet. The “denied password list” is stored locally on every “Domain Controller”.

Insecure password

Unsafe passwords are passwords which can be cracked easily because of its lenghts and complexity or they are just known passwords.

At first glance, the following passwords look quite safe. They are complex, have at least 8 characters, so they should be safe. But… no, they aren’t!

  • Passwort2
  • Herbst18
  • Abc@12345
  • Winter17
  • Albert123
  • P@ssw0rd!
  • Winter18
  • 123qweASD
  • Aaa123456
  • July2018
  • Monkey123
  • Welcome11

Check passwords above or your own password on Have I been Pwed to see how safe it is:

How works

When a user changes his password, the application on each Domain Controller checks the new password against known passwords in the local database and blocks all compromised passwords. The local database is an improved (reduced size) version of HaveIBeenPwned.


  • Download the current version from
  • Install the application on every Domain Controller.
  • Save license file on each Domain Controller under C:\Windows\System32\safepassme\safepassme.lic
  • Done


Leave a Reply

Notify of
We use cookies to improve the user-friendliness and stats of the website. Through your visit, you agree with that.