Comment on page
Load compromised passwords into the store
Import the PowerShell module and open the store folder
Import-Module LithnetPasswordProtection
Open-Store -Path "D:\password-protection\store"
We recommend you synchronize your password store with the Have I Been Pwned API using the Sync-HashesFromHibp cmdlet.
Sync-HashesFromHibp
If you are replicating the store with DFS-R, pause replication before you start populating the store. Wait until you have completed the import process before resuming replication.
If you don't have internet access from the server where the LPP store is being created, you can use the HIBP downloader to download the dataset.
When using the HIBP downloader tool, make sure you download the NTLM hashes, not the SHA1 hashes, and download them into a single file
haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm
If you have other NTLM hash sets you want to import, you can do so. Just make sure they are in a text file, each separated by a new line. Use the Import-CompromisedPasswordHashes cmdlet to import them.
You can also choose to import any plain-text password lists that you have access to. These are imported using the Import-CompromisedPasswords cmdlet.
Import-CompromisedPasswords -Filename "D:\password-protection\hashes.org-2018.txt"
Add-CompromisedPassword -Value p@ssw0rd
To test to see if a password is in the compromised password store, use the Test‐IsCompromisedPassword cmdlet. The cmdlet will return
true
if the password was found in the compromised store.Test-IsCompromisedPassword -Value p@ssw0rd
The password filter can also protect against common substitutions by normalizing incoming passwords, and checking them against the banned word store. For example, adding the word
lithnet
to the banned word store, will prevent common variations such as lithnet2018
l1thn3t
Lithnet!
from being used. You can read more about the normalization rules to understand how this works in more detail. The banned word store contains the list of these words you want to prevent passwords being based on. You can load in common names in your organization, or load in the entire dictionary. The Import‐BannedWords cmdlet is used to import a file of new-line separated words.Import-BannedWords -Filename "D:\password-protection\english-dictionary-words.txt"
Add-BannedWord -Value "lithnet"
Last modified 8mo ago