Related features:

Related Powershell Guides:

Get Active Directory users with pwned passwords using PowerShell

The PowerShell script given below will inform whether the password provided has been breached before during cyberattacks. ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers an integration with the 'Have I Been Pwned?' service to inform users if the new password provided during the password reset or change has been breached before. Here is a comparison between identifying whether a password has been breached or not using PowerShell and ADSelfService Plus.

With PowerShell

The Get-PwnedPassword PowerShell package, when installed and run, can identify if the password provided has been breached or not. Run the below script to install the Get-PwnedPassword package:

Install-Script -Name Get-PwnedPassword

Once the package has been installed, run this script to determine if the password you provide has been breached or not.

Get-PwnedPassword <enter the password>
With ADSelfService Plus
  • Go to Admin > Product Settings > Integration Settings.
  • In the Integration Settings section, click Have I Been Pwned, and then click Enable HaveIBeenPwned Integration.
  • Once this integration is successful, whenever a user resets or changes their password in ADSelfService Plus, an error message will pop up if the new password they provide has been breached.
    Steps to restrict breached passwords using ADSelfService Plus
    Compromised password restriction using ADSelfService Plus

Advantages of ADSelfService Plus

  • Quick configuration: The Have I Been Pwned? integration with ADSelfService Plus can be enabled with minimal steps.
  • Password Policy Enforcer: Another ADSelfService Plus feature that prevents users from creating weak passwords that are vulnerable to hacks is the Password Policy Enforcer. With this feature, administrators can create a custom password policy containing rules to blacklist breached passwords, prevent common patterns, and more to ensure that users create strong passwords. This password policy can be enforced during passwords reset and changes using ADSelfService, native password changes (password change using the Ctrl+Alt+Del console and password reset using the Active Directory Users and Computers (ADUC) console).

Using PowerShell to check pwned passwords

Step 1: Install the required modules

Ensure you have the necessary PowerShell module installed. The script below installs a module that checks passwords against breached databases.

Install-Module -Name HaveIBeenPwned -Scope CurrentUser

Step 2: Hash the password before sending

To protect privacy, convert the password into a SHA1 hash.

$Password = "UserPassword123!"
$PasswordHash = (ConvertTo-SecureString -AsPlainText $Password -Force) | Get-FileHash -Algorithm SHA1

Step 3: Check against the breach database

Query the Have I Been Pwned API. The script below returns the number of times the password has appeared in breaches.

$PwnedCount = Invoke-RestMethod -Uri "https://api.pwnedpasswords.com/range/$($PasswordHash.Substring(0,5))"

Step 4: Alert the user if the password is compromised

If the password is found in the breach database, prompt a reset. The script below notifies users if their password is exposed.

if ($PwnedCount -gt 0) { Write-Host "Warning: This password has been compromised $PwnedCount times. Choose a new one!"
} else {
Write-Host "Password is safe."
}

FAQs

1. What is a "pwned" password?

A password found in a data breach is considered "pwned" and should be changed.

2. How do I check if a password is compromised using PowerShell?

Use the Have I Been Pwned API by running the script below:

Invoke-WebRequest -Uri "https://api.pwnedpasswords.com/range/5BAA6" -UseBasicParsing

3. Can I block users from using pwned passwords in AD?

Yes, use custom scripts to compare passwords against a breached password list and notify the users using breached passwords.

Help users avoid breached passwords.

Try it now for free

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link