New Feature: An Additional Way to Query

This major release all centers around one new core feature – an additional API endpoint that utilizes a customer-provided API Key to authorize connections to the API.  Using this API Key allows customers to query the API from anywhere, without first registering their IP address(es) with Password RBL.  Not only is API Key authorization easier for customers (because there is no extra IP address management task), but it also friendly to cloud-based infrastructure and services that do not necessarily maintain static IP addressing.  But just to be clear, this is a new API endpoint and the existing IP-authorized endpoint is still supported.

A Little History

Previously, Password RBL’s API only authorized customer connections based upon their source IP address.  This was a design decision from the very beginning.  Password RBL has always been very focused on providing password blacklisting services in a zero-trust manner.  A cloud-based password blacklisting solution was new to the world back then, and we really wanted customers to understand that it really is secure.  So we choose to implement customer authorization by IP rather than API key.  API queries entering our service were confirmed to come from customers based on the packet’s source IP.  With the original architecture, by the time the query got passed network checks and load balancing, the API did not know which customer it was coming from (just that it was an authorized customer).  But once we added the Prefix-Query method (where queries only contain a portion of the password hash, not the entire hash), customers had even more assurance that even Password RBL could never determine the cleartext password from their API submission.  This opened the door to reconsidering a feature requested by many customers – API Key authorization.

A Quick Word on TLS versions

This new key-based endpoint is a modern, new method of connectivity and thus, requires modern TLS connections – TLS v1.2 at a minimum.  It is important to note that Windows Server 2008 R2 does not have TLS v1.2 enabled by default.  In order for Password Firewall to run with API Key authorization on Windows 2008 R2, you must update .NET to latest patch release and then manually create some registry entries to enable the use of TLS v1.2.  There are many guides that you can follow.  Later versions of Windows supports TLS v1.2 by default.  Windows 2008 R2 is now End of Life so any 2008 R2 servers should be retired anyways (but we still support Password Firewall on Server 2008 R2 because we would rather you have strong passwords and an old server than bad passwords and an old server).

Download Today!

The latest API is in production and the latest version of Password Firewall for Windows available now,  Head over to our downloads page for the latest software and documentation.

The post New Versions of API and Password Firewall appeared first on Password RBL.

Password RBL has extended its bad password blacklisting service to include the Pwned Passwords blacklist in addition to Password RBL’s own highly curated blacklist that it has continually developed for years.  This new feature adds over 500 million passwords to the blacklisting service and is now available to all customers who want even more protection from bad passwords.  Customers can simultaneously query Password RBL’s highly-curated blacklist, their own custom blacklist, and now the Pwned Passwords blacklist, too.

Bad passwords have plagued organizations for decades, and reported data breaches have increased in recent years.  These breaches commonly exfiltrate the credential database, providing hackers with passwords to use in attacks on other organizations.  Credential stuffing and password spray attacks are becoming more common due to the large number of known breached passwords.  IT departments have tried to coach users into choosing complex passwords and employed the use of password policies, but password policies cannot solve this growing problem on their own.  Password blacklisting is a perfect supplement to existing password policies.

Password blacklisting blocks the millions of bad passwords that meet common password policies.  This is why the National Institute for Standards and Technology (NIST) in the United States has recommended employing the use of a password blacklist in their latest authentication guidelines.  The National Cyber Security Centre (NCSC) in United Kingdom also makes this recommendation.  Password blacklisting is an easy and effective way to combat password reuse and just plain bad passwords.

Password RBL’s blacklisting service includes direct API access and Password Firewall for Windows, an extremely lightweight software solution that only needs to be installed on Domain Controllers and does not require end-users or IT staff to learn anything new.  These features make it incredibly easy to add password blacklisting to any existing Windows network.

Password RBL, founded in 2013, provides affordable and easy to use password blacklisting solutions.  The company slogan is “Prevent Bad Passwords Before They Happen” because their solutions prevent the use of bad passwords that hackers use to gain unauthorized access to networks across the globe.  They consolidate passwords by analyzing hacker tools, running honeypot servers, and scouring the web for leaked credential databases from data breaches.

Subscriptions to the service start at just $15.00 (USD) per month for small-medium businesses.  Larger organizations can request a quote.

The post Password RBL adds Pwned Passwords database appeared first on Password RBL.

Password RBL is targeting large Windows enterprises with their latest release of Password Firewall for Windows.  The new version adds automated installation (and uninstallation) options to the product’s deployment methods. The provided documentation includes step by step instructions for using Group Policy to deploy and configure the password blacklisting solution for Active Directory in an automated fashion, but the method is easily adapted to any existing system management software.  Password Firewall is enterprise-ready and can now be deployed across the entire organization in minutes.

Bad passwords have plagued organizations for decades, and reported data breaches have increased in recent years.  These breaches commonly exfiltrate the credential database, providing hackers with passwords to use in attacks on other organizations.  In fact, the 2014 Verizon Data Breach Investigation Report found that 2 out of 3 network breaches exploited weak or stolen credentials.  IT departments have tried to coach users into choosing complex passwords and employed the use of password policies, but password policies cannot solve this growing problem on their own.  That’s where password blacklisting comes in.

Password blacklisting blocks the millions of bad passwords that meet common password policies.  This is why the National Institute for Standards and Technology (NIST) in the United States has recommended employing the use of a password blacklist in their latest authentication guidelines.  The National Cyber Security Centre (NCSC) in United Kingdom also makes this recommendation.  Password blacklisting is an easy and effective way to combat bad passwords.

Password RBL’s blacklisting solution, Password Firewall for Windows, is extremely lightweight, only needs to be installed on Domain Controllers, and doesn’t require end-users or IT staff to learn anything new.  These features make it easy to add Password Firewall to any Windows network.  Combine these features with the latest automated installation methods, and companies can now deploy password blacklisting throughout their whole organization in minutes.

Password RBL, founded in 2013, is a provider of affordable and easy to use password blacklisting solutions.  The company slogan is “Prevent Bad Passwords Before They Happen” because their solutions prevent the use of bad passwords that hackers use to gain unauthorized access to networks across the globe.  They consolidate passwords by analyzing hacker tools, running honeypot servers, and scouring the web for leaked credential databases from data breaches.

SMB subscriptions to the service start at just $15.00 (USD) per month.  Larger organizations can request a quote.

The post Password RBL targets enterprises with latest release of Password Firewall for Windows appeared first on Password RBL.

Password RBL adds customer-specific entries to their password blacklisting products that solve the problem of weak passwords that lead to unauthorized access and data breaches.  In addition to stopping nearly 70 million bad password combinations, their newest feature allows subscribers to provide their own banned passwords.  This increases the effectiveness of the solution for each individual subscriber as they can now add entries to their own password blacklist.  This includes passwords known by terminated employees or known to have been shared by users.  Other common passwords that a company may want to ban include passwords based on publicly available company-specific information, such as company name, address, or slogan.  This is the type of information used in password-based attacks.

Bad passwords have plagued businesses for decades.  In the last few years there has been a noticeable increase in reported data breaches because exploiting weak passwords is an easy way for hackers to gain access to business networks.  The 2014 Verizon Data Breach Investigation Report found that 2 out of 3 network breaches exploited weak or stolen credentials.  IT departments have tried to coach users into choosing complex passwords and employed the use of password policies, but this doesn’t solve the problem.  There are millions of bad passwords that meet common policies.  Password policies do, however, annoy end-users with frequently required password changes.  The built-in password policy in Windows is no longer good enough.  Password RBL ensures that end-users choose strong passwords that hackers don’t already know.  And now companies can add their own banned passwords to further customize the service to their needs.  If users are picking strong passwords, then they should be allowed to keep them for longer.  Truly a win-win situation.

Password RBL’s Password Firewall for Windows is extremely lightweight, features an easy wizard-based installation that only needs to be run on Domain Controllers, and doesn’t require end-users or IT staff to learn anything new.  Furthermore, Password Firewall follows the exact same pricing model as direct API access to the Password RBL blacklist and both products can be used simultaneously under the same subscription.

Password RBL, founded in 2013, is a provider of affordable and easy to use password blacklist solution.  The company slogan is “Prevent Bad Passwords Before They Happen” because their solutions prevent the use of bad passwords that hackers user to gain unauthorized access to business networks across the globe.  They consolidate passwords discovered by analysis of hacker tools, running honeypot servers, and scouring the web for published credential databases from data breaches.

Currently, subscriptions to the service start at just $15.00 (USD) per month.

The post Custom Password Blacklisting comes to Active Directory appeared first on Password RBL.

Password RBL provides an affordable password blacklist solution that solves the problem of end-users picking poorly constructed passwords that can lead to unauthorized access and data breaches.  Originally, the service was targeted at web site and app operators as access to the blacklist database was provided via a web-based API.  With the recent release of Password Firewall, the service extends heightened password security to the millions of Windows-based networks worldwide by protecting Microsoft’s Active Directory, the core of a Windows-based business network.  Many additional software packages, such as Microsoft’s Exchange and Sharepoint services, rely on Active Directory, and those systems will also reap the benefits of enhanced password security.

Bad passwords have plagued IT departments and businesses for decades.  In the last few years there has been a significant increase in hackers utilizing password-based attacks to gain unauthorized access to business networks and data.  The 2014 Verizon Data Breach Investigation Report found that 2 out of 3 network breaches exploited weak or stolen credentials.  IT departments have tried to coax users into choosing complex passwords and employed the use of password policies, but this has barely mitigated the problem while annoying end-users with always-too-frequent password changes.  The built-in password policy is no longer “good enough” security.  Password RBL can ensure end-users are picking strong passwords that hackers aren’t already using.  This means IT can reduce the frequency of pesky required password changes.  As founder Adam Smith puts it, “IT gets strong passwords and users get to keep their passwords.”

Password Firewall for Windows is extremely lightweight, features an easy wizard-based installation that only needs to be run on Domain Controllers, and doesn’t require end-users or IT staff to learn anything new or change their behavior.  Furthermore, Password Firewall follows the exact same pricing model as direct API access to the Password RBL blacklist database and both products can be used simultaneously under the same subscription.

Password RBL, founded in 2013, is a provider of easy to use yet secure and affordable password security solutions.  The company slogan is “Prevent Bad Passwords Before They Happen” because their solutions prevent the use of bad passwords that hackers already utilize to gain unauthorized access to business networks across the globe.  They consolidate passwords discovered by analysis of hacker tools, running honeypot servers, and scouring the web for published credential databases from data breaches.

Currently, subscriptions to the service start at just $15.00 (USD) per month.

The post Password Blacklisting comes to Active Directory appeared first on Password RBL.