Lithnet Password Protection for AD
Request a quote for supportDownloads
v1.1
v1.1
  • Home
    • About Lithnet Password Protection
  • Setup
    • Getting started
    • Downloads
    • Setup requirements
    • Installation
    • Creating a new store
    • Load compromised passwords into the store
    • Configure group policy
    • Testing the password filter
  • Auditing
    • Audit existing passwords
  • Help & Support
    • Testing the password filter
    • Troubleshooting steps
    • Frequently asked questions
    • Getting support
    • Change log
  • Advanced Help
    • Powershell reference
      • Add-BannedWord
      • Add-CompromisedPassword
      • Get-PasswordFilterConfig
      • Get-PasswordFilterPolicy
      • Get-PasswordFilterResult
      • Import-BannedWordHashes
      • Import-BannedWords
      • Import-CompromisedPasswordHashes
      • Import-CompromisedPasswords
      • Open-Store
      • Remove-BannedWord
      • Remove-CompromisedPassword
      • Set-PasswordFilterConfig
      • Sync-HashesFromHibp
      • Test-IsADUserPasswordCompromised
      • Test-IsBannedWord
      • Test-IsCompromisedPassword
    • Normalization Rules
    • Event logging and reporting
    • Configuring a length based complexity policy
    • Configuring a points based complexity policy
    • Understanding the store
Powered by GitBook
On this page
  • Add compromised passwords to the store
  • Add banned words to the store
  1. Setup

Load compromised passwords into the store

PreviousCreating a new storeNextConfigure group policy

Last updated 2 years ago

Now that we have , we can populate it with compromised passwords and banned words.

Import the PowerShell module and open the store folder

Import-Module LithnetPasswordProtection
Open-Store -Path "D:\password-protection\store"

Add compromised passwords to the store

We recommend you synchronize your password store with the using the cmdlet.

Sync-HashesFromHibp

If you are replicating the store with DFS-R, pause replication before you start populating the store. Wait until you have completed the import process before resuming replication.

If you don't have internet access from the server where the LPP store is being created, you can use the to download the dataset.

When using the HIBP downloader tool, make sure you download the NTLM hashes, not the SHA1 hashes, and download them into a single file

haveibeenpwned-downloader.exe -n pwnedpasswords_ntlm

If you have other NTLM hash sets you want to import, you can do so. Just make sure they are in a text file, each separated by a new line. Use the cmdlet to import them.

You can also choose to import any plain-text password lists that you have access to. These are imported using the cmdlet.

Import-CompromisedPasswords -Filename "D:\password-protection\hashes.org-2018.txt"

If you have individual passwords you want to add, you can use the cmdlet

Add-CompromisedPassword -Value p@ssw0rd

To test to see if a password is in the compromised password store, use the cmdlet. The cmdlet will return true if the password was found in the compromised store.

Test-IsCompromisedPassword -Value p@ssw0rd

Add banned words to the store

Import-BannedWords -Filename "D:\password-protection\english-dictionary-words.txt"
Add-BannedWord -Value "lithnet"

The password filter can also protect against common substitutions by normalizing incoming passwords, and checking them against the banned word store. For example, adding the word lithnet to the banned word store, will prevent common variations such as lithnet2018 l1thn3t Lithnet! from being used. You can read more about the to understand how this works in more detail. The banned word store contains the list of these words you want to prevent passwords being based on. You can load in common names in your organization, or load in the entire dictionary. The cmdlet is used to import a file of new-line separated words.

To add individual words use the cmdlet

created a store
Have I Been Pwned API
Sync-HashesFromHibp
HIBP downloader
Import-CompromisedPasswordHashes
Import-CompromisedPasswords
Add-CompromisedPassword
Test‐IsCompromisedPassword
normalization rules
Import‐BannedWords
Add‐BannedWord