locked
Password validation script checking against stored passwords RRS feed

  • Question

  • I am able to create a script to check and validate for the password complexities outlined by our Active Directory GPO, but is there a way to check the password against the 1-24 stored passwords to validate that it hasn't been used before?

    Thanks

    Thursday, July 31, 2014 3:47 PM

Answers

  • is there a way to check the password against the 1-24 stored passwords to validate that it hasn't been used before?

    The direct answer to this question is "no."

    As I mentioned before, the error code is somewhat vague for a reason. Your help desk and users will have to know that there is a possible list of reasons why the system won't let them use their new password.


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by kensters Thursday, July 31, 2014 6:40 PM
    Thursday, July 31, 2014 6:23 PM

All replies

  • I am able to create a script to check and validate for the password complexities outlined by our Active Directory GPO

    First, what specifically does this script do?

    Second, why do you need to do it?


    -- Bill Stewart [Bill_Stewart]

    Thursday, July 31, 2014 3:57 PM
  • Thanks for the reply!  With the complexity rules and the 24 stored passwords, the end-users are getting frustrated with a non descriptive error message when attempting to change their passwords.   what I am hoping to do is create a script or app/web-app to allow the end-user to propose a password and get are returned value of "Acceptable" or a return value of "Unacceptable" with the reason why it failed, e.g. "it has been used before... it does not meet the complexity requirements"

    Thanks

    -Ken

    Thursday, July 31, 2014 4:08 PM
  • You haven't said what your current script does.

    Also, the descriptive text for the error is a big vague for a reason. If it's more specific, it makes passwords easier to attack.


    -- Bill Stewart [Bill_Stewart]

    Thursday, July 31, 2014 4:31 PM
  • Sorry Bill, I have written a forms based application in VB.NET that will allow the end-user to type in a proposed password. upon the press of the "Test" button the application loops through the characters in the textbox.text and determines if it meets at least three of the following requirements:

    1) the proposed password has at least one uppercase character

    2) the proposed password has at least one lowercase character

    3) the proposed password has at least one numeric value

    4) the proposed password has at least one symbol

    5) the proposed password has at least one Unicode character (non upper/lower case)

    and an over all check that it meets the length requirements

    I am hoping to find a way to check against the stored passwords to find out if the password has been used before.

    Thanks,

    -Ken

    Thursday, July 31, 2014 4:45 PM
  • You might have a look at the NetValidatePasswordPolicy API.


    -- Bill Stewart [Bill_Stewart]

    Thursday, July 31, 2014 4:55 PM
  • Thanks Bill.  I did look at that API... it does all the checking against AD except, unfortunately, it doesn't do AD password history checking.

    The NetValidatePasswordPolicy function does not validate passwords in Active Directory accounts and cannot be used for this purpose. The only policy that this function checks a password against in Active Directory accounts is the password complexity (the password strength).

    Thanks,

    -Ken

    Thursday, July 31, 2014 4:58 PM
  • Think about what you're asking.

    "I want the list of a user's previous passwords."

    Isn't that an information disclosure vulnerability?


    -- Bill Stewart [Bill_Stewart]

    Thursday, July 31, 2014 5:03 PM
  • is there a way to check the password against the 1-24 stored passwords to validate that it hasn't been used before?

    The direct answer to this question is "no."

    As I mentioned before, the error code is somewhat vague for a reason. Your help desk and users will have to know that there is a possible list of reasons why the system won't let them use their new password.


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by kensters Thursday, July 31, 2014 6:40 PM
    Thursday, July 31, 2014 6:23 PM