Pwned Archives - darrenjrobinson - Bespoke Identity and Access Management Solutions

August 10, 2017August 13, 2020

UPDATED: Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager

Microsoft Identity Manager - Have I Been Pwned

<img width="640" height="121" src="https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2018/02/HIBP-640px.png?resize=640%2C121&ssl=1" class="attachment-twentyseventeen-featured-image size-twentyseventeen-featured-image wp-post-image" alt="Microsoft Identity Manager - Have I Been Pwned" decoding="async" srcset="https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2018/02/HIBP-640px.png?w=640&ssl=1 640w, https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2018/02/HIBP-640px.png?resize=300%2C57&ssl=1 300w" sizes="(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px" />

Earlier this week I posted this blog post that showed a working example of using a custom Pwned Password FIM/MIM Management Agent to flag a boolean attribute in the MIM Service to indicate whether a users password is in the pwned passwords dataset or not.… keep reading

August 8, 2017August 13, 2020

Identifying Active Directory Users with Pwned Passwords using Microsoft/Forefront Identity Manager

Pwned Password Identification with Microsoft Identity Manager

<img width="640" height="255" src="https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2017/08/Pwned-Password-Overview-640px.png?resize=640%2C255&ssl=1" class="attachment-twentyseventeen-featured-image size-twentyseventeen-featured-image wp-post-image" alt="Pwned Password Identification with Microsoft Identity Manager" decoding="async" srcset="https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2017/08/Pwned-Password-Overview-640px.png?w=640&ssl=1 640w, https://i0.wp.com/blog.darrenjrobinson.com/wp-content/uploads/2017/08/Pwned-Password-Overview-640px.png?resize=300%2C120&ssl=1 300w" sizes="(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px" />

Update: An element of this solution details checking passwords online (using the Have I Been Pwned API). Troy explains succinctly in his blog-post announcing the pwned passwords list why this is a bad idea. If you are looking to implement the concept I detail in this post then WE STRONGLY recommend using a local copy of the pwned password list.… keep reading