Active Directory password filter for breached password checks and custom complexity rules
- Stars568
- Forks61
- Open Issues21
MIT
- C#
- C++
- C
About Lithnet Password Protection
Lithnet Password Protection is a module for Active Directory servers that inspects passwords as users change them. It uses a password filter to reject or approve password changes based on policies you define in group policy, helping enforce strong passwords across AD accounts.
It can block compromised passwords, banned words, regex-based rules, and points-based complexity. You can set length-based policies, import the HIBP data set or other plain-text passwords and NTLM hashes, audit existing passwords against compromised lists, and create detailed event logs. Passwords never leave the domain controller.
The PowerShell module can synchronize compromise lists from the haveibeenpwned.com API, add banned words and password lists, and test passwords and hashes. It is supported on x64 Windows Server 2012 R2 or higher, requires no additional servers, and uses a DFS-R friendly data store.
Key features
- Blocks compromised passwords, banned words, and common variants
- Length-based, regex-based, and points-based complexity rules
- Audits existing AD passwords against compromised lists
- PowerShell support for syncing and testing password stores
- Detailed event logs and DFS-R friendly data store
Details
- First released
- 2018
- Platforms
- Windows · CLI
- Deployment
- self-hostable
- Architecture
- x64 Windows only
- Server requirement
- Windows Server 2012 R2+
- Transport
- No internet access required