password_pwncheck v1.1.2 releases: Kerberos/Windows AD/Linux PAM password change check against breached lists
Enterprise Password Quality Checking using any hash data sources (HaveIBeenPwned lists, et al)
The purpose of this project is to help companies maintain a stronger password policy without having to jump through too many hoops. Currently, we support NIST 800-63B features such as testing the password against a long minimum length (default of 15), not matching previous passwords (or similar entries), and most important- the password can’t belong to a breach list.
The project consists of two parts:
- A password server – This is currently a fairly simple and easy to extend python script that contains all the logic for testing passwords.
- A password plugin client – There is work in the pipe for a Windows Password Filter DLL, a Kerberos module, and a PAM module. This should satisfy most modern enterprise extensible password management solutions. If you find this doesn’t support you than feel free to code and request a pull into the main project.
- Fixed Kerberos url encoding issue- previously we had no or poor url encoding of Kerberos requests. Now we properly escape characters.
- Built a better test harness for debug testing
- MAKE SURE NOT TO USE DEBUG VERSION PRODUCTIONALLY!!!
git clone https://github.com/CboeSecurity/password_pwncheck.git
- The password server needs to have downloaded password hash lists provided to it. These should sit in the
./dbfolder. A great place to start for your breached passwords is [https://haveibeenpwned.com/Passwords], Thanks to Troy Hunt for all his efforts (he is in large part the inspiration behind this project).
- Also, make sure you have a valid key/certificate chain. These two files should have their paths matched with the
- The code is written in python 2.7. You should be able to run it via
AD Password filter DLL
- From a Dev Studio command line, run
resbuilder.batfrom its directory in the ad-password-pwncheck project
- Build the solution, specifically the
- Copy the resulting ad_password_pwncheck.dll into the
%windir%\system32folder on all domain controllers in the domain.
wevtutil im Resources.man /rf:"%windir%\system32\ad_password_pwncheck.dll" /mf:"%windir%\system32\ad_password_pwncheck.dll"to properly register windows event logs
- Run the included registry file to enable registry settings
Kerberos filter DLL
- Run the
./build.shtoo, make sure openssl-devel and curl-devel modules are loaded in your SLES/RedHat/Debian derived distribution.
- Copy the
/lib/security/krb_password_pwncheck.solibrary to the Kerberos plugins/pwqual folder.
- Configure the krb5.conf to have the correct path:
Copyright (c) 2018 Cboe Global Markets Security / Jan Grzymala-Busse