What is User Password Filtering?

What is the threat?

One of the largest threats to organizations today, especially those with externally facing systems or cloud providers are authentication attacks at the user level. One of these attacks is called “password spraying”. It involves the gathering of common passwords such as “Welcome2018” or “Winter2019” and trying these passwords against each known username in the domain. By using this method an attacker can try these username/password combinations on all the users of a network or on a cloud service like Office 365. Traditional safeguards, such as lockout policies, only protect from numerous password attempts on a single account, this attack focuses on doing the opposite, it tries the same password on numerous accounts, because each account only registers one failed login there is no effective way to block this activity.


What is being done about it?

In our continued effort to help prevent such attacks and related threats we are implementing a new password filtering service across our entire managed client base. This service uses the haveibeenpwned database to filter user passwords during password changes to make sure they are not trying to use a password that is already on a breached list. The database currently contains more than 500 million breached passwords with more being added as breaches occur. We will be deploying this over the next several weeks and it will take effect when the server is rebooted during your normally scheduled maintenance.


What else can I do?

Increase the strength of your password policy by requiring longer passwords with complexity and lowering the lockout threshold. We recommend a minimum password length of 14 characters (for security the more characters the better) and a lockout threshold of 5 attempts with automatic unlocking disabled.


The mechanism explained:

When a user attempts change their password, the password is hashed (more about hashing below). The first 5 characters of the hash are then sent to be compared with the database.

What is a hash?

A hash is a one-way mathematical function that is used to determine the uniqueness of a file, password or other data input. The best way to think of a hash is like a signature of file and there is a mathematical guarantee that each file with the same hash is exactly the same and if the hash is different at least one part of the file is different.

Can the hash be reversed?

NO, hashes work one way, from the original object to a hash, the reverse doesn’t work. So transmitting a small portion of the hash ensures that the original information cannot be determined.

Is this safe?

YES, because the actual password the user is trying to user is never transmitted this service is safe and has no downside.

What happens if the service is down?

If the service is down while the user attempts to change their password this check will simply be skipped, for this reason we still recommend having a password policy of at least 14 characters with complexity requirements enabled.

What if my users never change passwords?

Because this service can only work during password changes if you have a password policy with no expiration this will have no effect on password and will not increase security. You will need to make a few changes and our team of techs will be happy to advise you on this.

What if I don’t want to use this?

You can opt out, just reply to his email with “OPT OUT” added to the subject line and we will remove you from the list of clients that will be getting this service, if you change your mind in the future we will be happy to deploy it for you.


Some great sources for info are the following…

  1. https://haveibeenpwned.com/ – a website run by Troy Hunt, a well renowned security researcher and security lecturer. His website functions as a searchable repository for users to check if their accounts are associated with any breaches. Geared towards the average user with the intent of increasing the overall security awareness worldwide.

  • https://krebsonsecurity.com/ – geared towards the security professional most articles focus on education, information and prevention and are a good resource for CISOs, CTO’s, IT  and Compliance staff.