New Versions of API and Password Firewall

Password RBL is pleased to announce the next major versions of our products have been released for 2020-Q4.  This includes API v4.00 and Password Firewall for Windows v7.00 to utilize the latest features available in the new API.


New Feature: An Additional Way to Query

This major release all centers around one new core feature – an additional API endpoint that utilizes a customer-provided API Key to authorize connections to the API.  Using this API Key allows customers to query the API from anywhere, without first registering their IP address(es) with Password RBL.  Not only is API Key authorization easier for customers (because there is no extra IP address management task), but it also friendly to cloud-based infrastructure and services that do not necessarily maintain static IP addressing.  But just to be clear, this is a new API endpoint and the existing IP-authorized endpoint is still supported.


A Little History

Previously, Password RBL’s API only authorized customer connections based upon their source IP address.  This was a design decision from the very beginning.  Password RBL has always been very focused on providing password blacklisting services in a zero-trust manner.  A cloud-based password blacklisting solution was new to the world back then, and we really wanted customers to understand that it really is secure.  So we choose to implement customer authorization by IP rather than API key.  API queries entering our service were confirmed to come from customers based on the packet’s source IP.  With the original architecture, by the time the query got passed network checks and load balancing, the API did not know which customer it was coming from (just that it was an authorized customer).  But once we added the Prefix-Query method (where queries only contain a portion of the password hash, not the entire hash), customers had even more assurance that even Password RBL could never determine the cleartext password from their API submission.  This opened the door to reconsidering a feature requested by many customers – API Key authorization.


A Quick Word on TLS versions

This new key-based endpoint is a modern, new method of connectivity and thus, requires modern TLS connections – TLS v1.2 at a minimum.  It is important to note that Windows Server 2008 R2 does not have TLS v1.2 enabled by default.  In order for Password Firewall to run with API Key authorization on Windows 2008 R2, you must update .NET to latest patch release and then manually create some registry entries to enable the use of TLS v1.2.  There are many guides that you can follow.  Later versions of Windows supports TLS v1.2 by default.  Windows 2008 R2 is now End of Life so any 2008 R2 servers should be retired anyways (but we still support Password Firewall on Server 2008 R2 because we would rather you have strong passwords and an old server than bad passwords and an old server).


Download Today!

The latest API is in production and the latest version of Password Firewall for Windows available now,  Head over to our downloads page for the latest software and documentation.