Password_Pwncheck: a tool that helps enterprises improve password security

Password_Pwncheck: a tool that helps enterprises improve password security

Password_pwncheck is a tool used to improve the security of Enterprise passwords. It matches with a large number of public hash data sources to determine whether your current account and password have been leaked (such as the HaveIBeenPwned list ). Password_pwncheck also supports the NIST 800-63B feature, such as minimum password length detection (default value: 15), password reuse, and violation list.

This project contains two parts:

 
 

  
  
Password server-a simple and scalable python script that contains all the password test logic.
  
  
Password plug-in client-Windows Password Filter DLL, Kerberos module and PAM module work in the pipeline. This should meet the needs of most modern enterprises with scalable password management solutions. If you think this is not enough, you can write your own code and send a Pull Request to the main project.
 
 

Install

The functions and usage of this tool have been verified. However, installation and configuration require a certain degree of knowledge, such as understanding the variable value in the configuration script, and how to manage Kerberos/PAM/AD password changes. I am not a technical expert in this field, so here I can only give a rough description of how to use it.

Password Server

  
  

   
   
The password server needs to download the hash list of passwords provided to it. They should be in the./db folder. We recommend a good website for password leaks [https://haveibeenpwned.com/passwords#, Thank you Troy Hunt for your efforts (he is also the main source of inspiration for my project ).
   
   
In addition, make sure that your key/certificate chain is valid. The paths of these two files should match the SSLCertFile and SSLKeyFile variables.
   
   
This project is written in python 2.7. You can run python-2.7./pwned-password-server.py through this command
  
  

AD password filter DLL

  
  

   
   
Run resbuilder. bat in the directory of the ad-password-pwncheck project from the Dev Studio command line.
   
   
Build a solution, especially the ad_password_pwncheck project.
   
   
Copy the generated ad_password_pwncheck.dll to the domain in the % windir % \ system32 folder on all domain controllers.
   
   
Run wevtutil im Resources. man/rf: "% windir % \ system32 \ ad_password_pwncheck.dll"/mf: "% windir % \ system32 \ ad_password_pwncheck.dll" to correctly register Windows Event Logs
   
   
Run the included registry file to enable Registry Settings
  
  

Kerberos filter DLL

  
  

   
   
Run./build. sh to make sure that the openssl-devel and curl-devel modules have been loaded into your SLES/RedHat/Debian derivative version.
   
   
Copy the/lib/security/krb_password_pwncheck.so Library to the kerberos plugins/pwqual folder.
   
   
Configure the correct path of the krb5.conf file:
  
  

* Reference Source: github

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151435.htm