Robert Brock

That's effectively a password whitelist, and that does not give me warm fuzzy feelings. Why not, in the case of creating a batch of new accounts with a generic password,...

Ah, that makes more sense.

Perhaps a better idea would be to allow a configurable list of users (or security group) to bypass the check? Then your domain admin account creating these users could set...

Or perhaps not. Seems the DLL isn't aware of any more than the account whose password is being changed. :/ https://msdn.microsoft.com/en-us/library/windows/desktop/ms721878(v=vs.85).aspx

I've moved the lists to sysvol to leverage active directory replication, and added some logic to watch their last write times and re-read if they've changed. I tried doing this...

Now with pwnedpasswordsAPI support! :smiley:

Oh hi, that's my fork. There's a somewhat serious issue fixed in #11 that has yet to be merged, to boot.

Agree that this would be nice. I'll have a go at it in my fork. The DLL is aware of the username but only sends the password over to the...

The ability for the service to take in the username and apply something like hashcat's rules would be really nice - keep user 'James' from building a password containing 'J4m35',...

Interesting, but yeah, you'd have to be very careful about performance. May be worth examining Hashcat's source and see if that implementation could just be extracted for use here. It'd...