Lithnet Password Protection for AD
Request a quote for supportDownloads
v1.1
v1.1
  • Home
    • About Lithnet Password Protection
  • Setup
    • Getting started
    • Downloads
    • Setup requirements
    • Installation
    • Creating a new store
    • Load compromised passwords into the store
    • Configure group policy
    • Testing the password filter
  • Auditing
    • Audit existing passwords
  • Help & Support
    • Testing the password filter
    • Troubleshooting steps
    • Frequently asked questions
    • Getting support
    • Change log
  • Advanced Help
    • Powershell reference
      • Add-BannedWord
      • Add-CompromisedPassword
      • Get-PasswordFilterConfig
      • Get-PasswordFilterPolicy
      • Get-PasswordFilterResult
      • Import-BannedWordHashes
      • Import-BannedWords
      • Import-CompromisedPasswordHashes
      • Import-CompromisedPasswords
      • Open-Store
      • Remove-BannedWord
      • Remove-CompromisedPassword
      • Set-PasswordFilterConfig
      • Sync-HashesFromHibp
      • Test-IsADUserPasswordCompromised
      • Test-IsBannedWord
      • Test-IsCompromisedPassword
    • Normalization Rules
    • Event logging and reporting
    • Configuring a length based complexity policy
    • Configuring a points based complexity policy
    • Understanding the store
Powered by GitBook
On this page
  • Compromised password store
  • Banned word store
  1. Advanced Help

Understanding the store

PreviousConfiguring a points based complexity policy

Last updated 2 years ago

Lithnet Password Protection can (optionally) test incoming passwords against a compromised password store, as well as a banned word store. The stores are a collection of files that represent a database containing the NTLM hashes. The stores are kept locally, and therefore the filter does not require any internet access to perform compromised password checking.

The stores are created and maintained using .

Compromised password store

The compromised password store contains the NTLM hashes of exact passwords that you want to prevent your users from using. The most common usage of this store, is to populate it with hashes from the compromised password lists (see the PowerShell cmdlet for more details). However, you can also add hashes from other online sources or your own list of bad passwords.

You can add passwords to the store using the , and cmdlets.

Banned word store

While the breach password store provides an effective way of making sure known compromised passwords are not used, it doesn't protect against bad passwords that have not yet been compromised. For example, a very common password is WinterXXXX where XXXX is the year the user set the password. While Winter2018 may be in the compromised password store, Winter2020 may not be, until it's detected in password breach. The banned word store allow you to specify words that a password should never be based on. It does this by applying against the incoming password, and then looking for a match in the banned word store. By applying the normalization rules against Winter2020, it would be converted to winter, which would then be checked against the store.

Another common pattern that users employ when selecting passwords, is to base it on the company name. If you were to add lithnet to the banned word store, you could prevent the usage of passwords based on that such as L!thnet, Lithnet123, etc.

You can add passwords to the store using the , and cmdlets.

PowerShell
haveibeenpwned.com
Sync-HashesFromHibp
Add‐CompromisedPassword
Import‐CompromisedPasswords
Import‐CompromisedPasswordHashes
normalization rules
Add‐BannedWord
Import‐BannedWords
Import‐BannedWordHashes