Real-time Password Blacklist

How is Password Firewall for Windows licensed?

Licensing for Password Firewall follows the same subscription method of Password RBL and is based on the number of IPs (or blocks of 8 IPs) sending queries to Password RBL and the number of queries per day.  Note that licenses are not based on the number of installations of Password Firewall.  So, if you have three business sites, each with two Internet connections, this equates to six source IPs regardless of how many domain controllers you have deployed in your infrastructure.


Then just estimate the number of queries you expect to send each day.  The easiest way to do this is to take the total number of users and multiple by two, since it typically takes end-users up to three tries to pick a good password.


Where do I install Password Firewall in my network?

Password Firewall needs to be installed on every Active Directory Domain Controller to ensure complete protection from bad passwords.  Payment to utilize Password Firewall follows the Password RBL subscription model and is not licensed per installation so you are not paying for each installation.  The installation is lightweight, quick and easy but does require the server(s) to be restarted, so plan accordingly. 

Do I install Password Firewall on Read-Only Domain Controllers (RODC)?

No.  Read-Only Domain Controllers do not directly process password changes, so you only need to install Password Firewall on regular, writeable Domain Controllers.


Do I have to install Password Firewall on domain-joined workstations?

No.  Password Firewall only needs to be installed on Active Directory Domain Controllers.


Do my end-users have to do anything different when changing their network password?

No.  This is one of the greatest features of Password Firewall.  End-users and Administrators use the normal built-in methods for updating Active Directory passwords.  There is nothing new to learn and users/helpdesk employees don’t need to do anything differently.


Which Package should I subscribe to if my business sites have multiple Internet Connections?

Password RBL subscriptions are based on the number of connecting IPs (or contiguous blocks of 8 IPs) and the number of queries per day.  If your business sites have multiple Internet connections with different IP addressing, then each connection would count as a source.  For example, if the main business headquarters has two Internet connections and there is a single branch office with one Internet connection, then a subscription package that allows for 3 sources would fit well.


How does Password Firewall fit in with Windows Password Policy?

Whether your Active Directory uses the classic single password policy or you've deployed Microsoft's newer Fine-Grained Password Policies, Password Firewall operates in addition to the existing Windows password policy.  So whatever portions of the built-in Password Policies you choose to implement, Password Firewall will also apply.  For maximum security, you should enable every built-in policy and use Password Firewall to block all the passwords that are bad but are not captured by the built-in policy (i.e., Password1, Password123, etc.).


My Domain Controllers don't have direct Internet access.  Will Password Firewall work through a proxy?

We understand that many organizations decide to prevent direct Internet access from their domain controllers as a security precaution.  While Password RBL doesn't provide an application-layer proxy component, Password Firewall is confirmed to work with a properly implemented transparent SSL Proxy.  These types of "man-in-the-middle" SSL Proxies are common features in business firewalls (Fortigate, Sonicwall, etc.) or are implemented as standalone products (Websense, Barracuda, etc.).  Technically, as long as the SSL Proxy's CA certificate is in the Domain Controller's System-level Trusted Certificate Authorities store, then the connection to the blacklist API will function.


Can I limit which users are affected by Password Firewall?

Yes.  By default, all user password changes are processed by Password Firewall, but you can control this based on Active Directory group membership.  Simply create an AD security group and add the users that should have their password choices scrutinized by Password Firewall.  Then open the passwd.ps1 add this group name to the GroupFilter variable near the top of the file.


Why is Password Firewall programmed in PowerShell?

Some applications have pre-requisites that make installation and support more complex.  PowerShell is already built-in to all Windows Servers and has all the functionality needed to support Password Firewall, so utilizing PowerShell keeps the Password Firewall client software lightweight and easy to deploy.  Furthermore, PowerShell scripting is a humanly readable format that is easy to understand (even for non-programmers) and any legitimate security-based software solution should be able to show its source code without impacting the security of the solution.


Can I change the passwdfw.ps1 script?

Password RBL will not be able to support any changes.  If you do choose to augment the script file, exercise extreme caution.  The passwdfw.ps1 script is executed with SYSTEM level permissions so it is very important to follow all programming best practices so you don’t expose your system to any security risks.  Be aware that re-installations and upgrades using the Password Firewall Easy Installer will overwrite any changes you’ve made to the passwdfw.ps1 script. 


How do I get a report of how many bad passwords are being blocked?

The easiest way to do this is to use the tracking IDs assigned to your Password RBL account.  If you add your specific tracking ID to the passwdfw.ps1 script (see the Additional Configuration section) then you can utilize the My Metrics page at PasswordRBL.com to obtain a report and download lifetime statistics.

What is Password RBL?

Password RBL is a Real-Time Blacklist for Passwords.  Our database contains millions of passwords that should no longer be used because they are either easily guessed or have been publicly leaked as part of the many data breaches that have occurred in recent years.  Access to this database is provided in a Software-as-a-Service (SaaS) model via a RESTful Web API for web servers and apps or our Password Firewall software for Windows.


Why would I want to use Password RBL?

Hackers are gaining unauthorized access to Internet-connected businesses more and more frequently.  This is because there are so many user accounts that have poor passwords set.  Password RBL knows about these passwords and can prevent these passwords from being chosen in the first place.


Do I get an email when one of my passwords get leaked?

That is how a few somewhat similar services work, but that's not how Password RBL works.  While other services will notify you after your account has been hacked (hopefully very soon after the hack), Password RBL proactively prevents poor password choices which keeps hackers out in the first place.

How do I know Password RBL isn't just reading all my passwords?

Because it's not possible!  Passwords submitted to the Password RBL API have already been cryptographically hashed with 30,000 rounds of the industry standard PBKDF2 algorithm.  Cryptographic hash functions are one-way functions that cannot be reversed or "decrypted."   This one-way property of cryptographic hashing prevents Password RBL from being able to determine original passwords from hash values being submitted.  Basically, the API looks for the existence of the hash value in the database not the actual password.  And, remember, any code we provide to customers is 'source-available' so you can go see for yourself!


What is Double-Blind Hashed Password Submission?

This is our way of describing how Password RBL anonymizes the queries sent to the service.  Before your server sends in the passwords supplied by your users, they are hashed, not once but 30,000 times, using a salt and standard PBKDF2.  When the queries are received by Password RBL, they are then hashed again, over 10,000 times, with a different salt.  The salts utilized are the same amongst all Password RBL customers, which prevents Password RBL from determining which hash values are used by which customer.  The term "double-blind" comes from these two separate hashing steps and the inability to link a specific hash value to a specific customer.


How many passwords are in the database and what languages are included?

Our database of bad passwords is constantly growing as we discover more and more leaked credential lists.  As of mid-2016, there are approximately 70 million entries in the database.  These entries mostly consist of Western European Languages, such as English, Spanish, Italian, French and German.  However, other languages are included and are typically sourced through honeypot services and hacker tool analysis.


After I subscribe, can I use the service to scan all my existing user passwords?

Unfortunately, no.  The service is only a real-time query and can only accept passwords hashed with the salt and algorithms specified in the API.  But your users' passwords should already be uniquely salted and hashed in a different manner.  (And if you're storing passwords properly, you should not be able to decrypt passwords.)


Can I subscribe to the service if I send queries from an application rather than a web server?

Interesting.  The service was originally designed with Active Directory and web servers in mind, but technologically, it will work if you can perform HTTPS GET requests and compute a PBKDF2 (or alternatively, a SHA256) hash.  We'd love to hear about your project.  Please use the contact link at the base of the page and tell us about your ideas.


Can I receive a report that shows how many of my users are choosing bad passwords?

Yes.  The API allows for an optional parameter that can be used to track queries.  This is solely so that customers can receive metrics on how well the service is working for their site/business.  This tracking feature only counts positive or negative responses.  It does not log the submitted values.  This tracking ID is completely optional so that customers who still wish for their queries to remain anonymous can continue to send anonymous queries to the service. Head over to the My Metrics page to get a custom report.   


If you wish to continue sending anonymous queries, then you'll need to keep track of query results on your side of the connection in order to determine how many submissions to the API occur and how many times a match is returned.  As of version 2.15, Password Firewall for Windows can log messages in the Windows Event Log when a lookup results in a database match or not.


Do I have to subscribe for each website I operate?

No.  You only need to subscribe for any website that will submit queries to the Password RBL API.


I have vanity domains, do I need to add these to the registration form?

No.  You only need to subscribe for any website that will submit queries to the Password RBL API.


How does billing work?

During the registration process, you provide your billing contact information.  Every month (after the free trial) you will receive a recurring invoice for the chosen subscription package or custom quote.  You can easily pay the invoice online and optionally save your credit card information to be auto-billed next month, if you like. Payments are processed by WePay.  You are not providing your payment card information to Password RBL.  Of course, if you prefer paying by company check, that is also an option.  Simply print out the PDF invoice, follow the instructions on the payment stub and drop it in the mail.


What payment methods are avaialble?

Password RBL supports many different payment methods.  Here is a quick list..

  • Credit Card (VISA, Mastercard or American Express)
  • PayPal (various methods)
  • Wire/Bank Transfer (ACH or BIC/SWIFT for international customers)
  • Company check via "snail-mail"


How do I change the contact email address for my subscription?

If you'd like to change or add an email address, just use the contact page and send us a note.  We'll then send a confirmation email to the original email address to verify the change.


How can I cancel my subscription?

We're sorry to see you go and hope we served you well.  To cancel your subscription, simply contact us via our web form, send an email, or call. 

Subscription & Registration

Getting

aRound

Frequently asked questions

and Deep-Dive information

I'm interested in using a custom password blacklist, so where do I start.. how does it work?

Using the custom blacklist feature of Password Firewall or the Password RBL API is easy! First you need to make a list of the passwords you want to add to your blacklist.  Then, the easiest way to add these passwords to your custom blacklist is to use our provided custom blacklist management utility (written in PowerShell so you'll need a Windows computer).  Then just make sure you are using Password Firewall v2.0 or later and you've added your custom blacklist ID to the passwdfw.ps1 file so your API queries also check your custom blacklist during the query. 

.

Can Password RBL see the passwords I add to my blacklist?

No.  This is because before the passwords get sent to Password RBL, they are iteratively hashed - just like how the queries to Password RBL work.  So, this means you are just sending Password RBL the cryptographic hashes of the passwords you chose.


Can I use wildcards when building my custom blacklist?

No.  The provided custom blacklist management utility and accompanying API do not allow wildcards.  This is because the custom blacklist feature of Password RBL is implemented the same way the shared blacklist is implemented, so that even Password RBL cannot determine what passwords are in your custom blacklist.  You just need to create an input file that has each password permutation you'd like to blacklist per line.  The custom blacklist management utility then takes each password, iteratively hashes it before adding into your custom blacklist. The provided documentation has some suggestions for creating common permutations of bad passwords.


I ran the Custom Blacklist Management utility. I get the response "unnecessary."  What does this mean?

This is not an error.  It just means that it was unnecessary to add or delete this entry from your custom blacklist because it either already existed (in the case of "add") or it wasn't in the custom blacklist (in the case of "delete").  There is no penalty for submitting unnecessary queries, so you can disregard these messages.  However, if you have a large blacklist and are just adding a few entries, it will be faster if you perform the adds using just a list of these new passwords.

Custom Blacklist Questions

Password Firewall for Windows

We know our FAQ is verbose, but we want to provide as much information as possible so you are as comfortable as possible with the service. 
We recommend reading through the entire page as it contains a lot of great information.  But we also put all the questions and answers on one page so you can simply use the Find feature of your Internet browser to search for terms related to the question you have.


Have a question that isn't answered here?

Let us know!


Navigation

General Installation / Implementation Related

Sure Password RBL helps prevent data leaks, but what if Password RBL gets breached/  Is my company at risk if the Password RBL database is leaked?

No.  Password RBL was designed with security at the forefront.  We take all possible precautions to protect our systems from known attacks and theoretical ones.  If the Password RBL API systems were compromised and the database were leaked, this would still pose no security threat to customers.  This is because we are not storing the passwords that your customers are using, we're storing millions of password hashes that they are not using.  If an unauthorized party did obtain the Password RBL database, this would not help them at all.  And furthermore, all passwords added to the database are always stored as hashes, and the original cleartext passwords are not on any online systems (Password RBL maintains separate, offline, systems we use to inject new leaked passwords lists into the database). 


The API Guide specifies I can use PBKDF2 or SHA256 hash algorithms.  Which should I use?

The recommended, and default, choice is PBKKDF2.  This is because it uses many thousands of rounds of hashing to slow down any theoretical, future brute force attempts at reversing the hash values.  SHA256 is a very compatible algorithm that can be calculated by most all systems or software libraries.  It is included for this very reason, but only performs two rounds of hashing.  So it is less resilient to brute force attacks.  But being able to carry-out a man-in-the-middle attack on submissions being sent to Password RBL is really only theoretical, since all submissions are always performed over a TLS-encrypted HTTPS connection.   


You mention that the salt values used are always the same.  Shouldn't salts always be different?

When protecting user credentials, yes, salt values should always be unique. This prevents two accounts that have chosen the same password from having the same hash value.  This is especially important if a credential database is leaked to unauthorized parties.  But Password RBL is not protecting user credentials, and furthermore, we need the same input to always result in the same hash output so we can match the value in our database.  And since queries to the API are already hashed, we, as a service provider, cannot determine the original cleartext password.


Why doesn't the service use bcrypt to protect the hashed passwords in the database?  

A password-based key derivation function (PBKDF), like bcrypt, should always be used to protect credentials used to access an account.  Bcrypt was one of the first PBKDF functions.  Password RBL uses a more recent and very popular/compatible function called PBKDF2 with 30,000 rounds of hashing - before the password is sent to the API.  Once received, the hashvalue is then subjected to over 10,000 additional rounds of SHA512 hashing before searching for a match in the database.


Service Related / How It Works

Password

Prevent bad passwords before they happen!

Direct API Access Questions

Where do I place the code on my website to use the Password RBL API?

You place the code in the server-side validation logic associated with the HTML form submission for new user account creation and/or existing user account password changes or resets.  For additional security, you can query Password RBL every time a user logs in, and if their password is listed in the API, then you could suggest or force them to change their password.
.

How does the service block logins on my website?

Actually, the Password RBL API service does not block logins on your website.  The API only tells your server if the submitted password exists in our growing database of known bad passwords.  You decide what to do with this information.  You can choose to deny the use of this password on your website and have your user choose a new password, or you could warn your user and ask if they'd like to choose a new password.  Alternatively, you could also use the API in reporting-only mode.


Can I instead query the Password RBL API in client side JavaScript?

We're sorry, but no.  Our service is designed to only allow connections from web server IP Addresses that have an active subscription to the service, and thus, the connections to the API must come from your server and not client-side processing.


We don't perform any server-side validation, can we still use the Password RBL service?

The service only allows connections from specific source IP addresses (web servers).  More importantly, though, web sites that allow form submissions should always perform both client-side and server-side validation logic.  Our Download Page contains a sample site that implements both.   Check it out!


General Information

Do I need to open any ports on my firewall to use Password RBL service?  If so, which ones?

You probably do not need to change your firewall configuration.  Queries sent to the Password RBL API are sent via standard HTTPS (TCP/IP port 443) to "api.passwordrbl.com".  Outbound HTTPS is rarely blocked by firewalls, so you probably don't need to worry, but your network administrator can tell you for sure.


What is Reporting-Only Mode?

Reporting mode is used by some Password RBL subscribers just to monitor the quality of passwords chosen by their employees/users.  In this implementation, no action is taken on the subscribing website/AD if the password chosen by the end-user is listed in the Password RBL database.  Instead, the API responses are just used for reporting purposes.  The API responses should be tallied on the subscriber's side of the equation, or utilize Password RBL's TrackingID API parameter so that we can track the responses for you.  If you choose the latter (and easier) method, then head over to the My Metrics page to run reports based on your Password RBL assigned TrackingIDs.  Do note that when using Reporting-Only Mode, you will see a lower hit-percentage than when using the API in normal mode because typically it takes users 2-3 tries to pick a non-listed password, but in Reporting-Only mode, there is only one query to the API regardless if the chosen password is listed or not.


Why would I want to use than one Tracking ID?

In short, for more granular reporting.  For example, for one subscription fee, you can send queries to Password RBL from multiple different systems.  Each of these systems could use their own Tracking ID so you could get system-specific metrics on password choices between say, your public eCommerce site, your internal Intranet site, and your Active Directory.  It's common for Active Directory administrators to use a Tracking ID for all domain controllers at each business site.  They can use the reporting data to determine which site(s) need more password training.


Does Password RBL provide any implementation assistance?

Currently we do not.  Every subscribing site is different, and no one will know it as well as the website owner.  But, while we don't help you with your specific website, we do provide sample code, including a few working sites, so you can see how to add Password RBL to your site.  Head over to our Downloads page to download our code examples.


We've changed web hosts and/or ISPs, how can I update the sources of my queries?

Just use our contact form (at the bottom of this page) and send us a note containing your new IP address(es) and we'll update our systems and let you know as soon as it is complete.


Can I query the API from multiple servers in the same IP range (and it counts as one source)?

Yes, as long as the server IPs are all in one contiguous CIDR range (up to 8 IPs), this is allowed and counts as a single source, even though queries are originating from multiple servers.  This is because some web sites rely on multiple servers, but support a single website/business. 


How are the "Queries per Day" counted and what happens if I go over the limit?

Different subscription packages have a different amount of allowed queries to the API each day.  This number is the maximum number of calls to the API within a 24 hour period.  Every call to the API counts as a query. 


This concept is best explained by example.  If it takes one of your end-users three tries to pick a good password, then this counts as 3 queries.  Once you have reached your limit, no more connections to the API are allowed.  By default, Password Firewall will allow password change events to occur if your daily limit has been reached, but passwords will not be checked against the blacklist API.  The available pool of queries recharges in a 24 hour period (each allotted query will be usable again in 24 hours). 

Security Related