Windows Password Filters

Do you have password requirements that is your windows accounts must follow? What is the requirements do not fall in Microsoft's password requirement policies? You can create your own filter to require custom rules.

Uses for Password Filters

One example of why you would want to use a password filter would to match the password to a database of known bad passwords and deny allowing your customer using that password.

Obtaining a Password Filter

You are able to create your own filter or find a precompiled filter that matches your requirements. We will be using OpenPasswordFilter from https://github.com/brockrob/OpenPasswordFilter.

Installing the Password Filter

There is an installer but we will be installing just the service and dll. First launch and compile the OpenPasswordFilter. Copy the DLL into C:\Windows\System32.

Register Password Filter

Launch Registry Editor and navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and add OpenPasswordFilter to Notification Pages.

Picture of windows registry

Installing the Service

Compile and copy the OPFService to a directory on the target machine. Such as C:\Services. Launch command prompt as administrator. Type the following command and set the service to launch at boot.

sc create OPF binpath= C:\services\opfservice.exe
Picture showing command prompt.

Restart PC

You need to restart your PC for windows to load the password filter. You can now test. The password filter that we used logs events in the event viewer.

If you run the service as a console application in debug mode you can see it checking the password against the service you decide to have it detect against. If it finds a match it fails and the password will not be changed as it will not meet the complexity requirements.

Picture of showing password filter working.