In 2015, Password RBL released Password Firewall for Windows. It extends the Password RBL blacklist service to Microsoft's Active Directory. It features an easy wizard-based installation that only needs to happen on domain controllers and no interface changes for admins or end-users. A single subscription to Password RBL covers the use of Password Firewall for Windows and API access methods.
Real-time Password Blacklist
We’re committed to providing extremely secure solutions that are also simple by design. This is why the Password RBL service was designed to be simple and simply secure. It is simple to subscribe and simple to implement. After that, it simply works - letting you get back to running your business.
The sign up process is simple and straight-forward. Just browse to our subscribe page. This will walk you through the few steps necessary to get the process going. You pick the package that matches your needs or request a free custom quote. Then fill out a short registration form which will provide us the necessary information about your web server(s), domains, and/or IP addresses - and you're done! No credit card is required to get started and there's a free trial, too!
It doesn't matter if you're protecting Active Directory or your website, the process is similar.
One of your customers or employees chooses to create a new account or change their existing account password. When they click submit their computer sends their chosen password to your server.
Your server (webserver or Windows Domain Controller) receives the chosen password data and performs server-side validation logic. It is here that you add the few lines of code to utilize the Password RBL REST Web API or deploy Password Firewall if you're protecting Active Directory. This takes the password submitted by your user, salts it and then hashes it 30,000 times with the industry standard PBKDF2 algorithm. It then sends this hashed value to the Password RBL API Server via an HTTPS request.
The Password RBL firewall verifies that this API request is from an active customer by matching the source IP address in the HTTPS connection to an approved customer list (this is why the registration form requires your domain and/or IP addresses).
The Password RBL API Server performs additional acceptances tests to verify the request is properly formatted and then salts and iteratively hashes the submission again, this time performing over ten thousand rounds of SHA512. The resulting value is then queried for existence in the Password RBL database.
The Password RBL database either contains the hashed value or not. Either way, the Password RBL API server will respond to the subscribing server with a true or false response.
It is your decision how to respond to your customer. If they have chosen a password that exists in the Password RBL database of bad passwords, you may force them to pick a new password, or simply inform them that they have chosen a password that hackers commonly use. The decision is yours!