What is safeppass.me
safepass.me is currently the only fully-offline, efficient and cost-effective solution for Active Directory users to fulfill the new official password guidelines and prevent users from setting a compromised password (a password found in any of the breached database that have leaked online – eg LinkedIn, Adobe, Dropbox, etc)
Why should I use safepass.me?
The consensus from the security community has shifted and the former password complexity requirements are now deemed counter-productive. Forcing users to pick “strong” passwords and rotating them means that they will pick predictable patterns that will be easily guessed by an attacker.
safepass.me uses AI algorithms to efficiently determine whether the new password the user has picked belongs to the known-bad lists (these are compromised databases of various sizes that have leaked into the public domain).
Being security professionals and unlike most of our competitors, we do not feel like sending your passwords to an online service is an acceptable solution… so everything happens offline, like it should.
Is there a Demo I can try?
Check this video to see how the tool works.
How many passwords does safepass.me check?
Currently approximately 517M passwords. We leverage an improved upon version of the HaveIBeenPwned dataset (30GB of data).
Are there any legal implications from using a database of compromised passwords?
This is clearly a grey area of the law… On one hand you have guidances (including from the government) suggesting that you should check whether your users are using compromised passwords … and on the other you have numerous laws (in the UK this would be the section 3A of the Computer Missuse Act and GDPR) discouraging you from obtaining and storing the data required to allow it.
The software developer, Matta Consulting Ltd, as a company that has been providing Incident Response and Security Services for almost two decades now, have a clear need to source, store and process such data… but you do not. This is why safepass.me has been developed. It is a unique solution to fulfill the requirement, follow the security best practices and shield your business from potential legal hurdles.
safepass.me uses a proprietary, binary “processed” representation of the compromised data-set that cannot be reverse-engineered nor used to assist in the commission of an offence under the CMA. Gigabytes of data have been compressed into a ~376MB package.
What do I need to install safepass.me?
Nothing special except administrative credentials. safepass.me should work on all x64 windows versions (and has been tested on all Windows Server editions from 2003r2 up to 2016 Core Edition).
It ought to be installed on all Domain Controllers (except read-only ones), but you can also install it on a non-domain joined workstation to try it out first.
Can I download a trial copy?
Sure, you can get a 14-day trial of safepass.me. It is packaged in a 376MB MSI file. We have made the install process as straightforward as possible but if you have any feedback on how to make it even easier, we are eager to hear from you.
To get your trial, please fill out our registration form. This helps us determine which licese is the best for your size orgainization and make obtaining your license a snap.
Why should I trust it?
It’s been written by the guys at Matta Consulting Ltd, a UK cyber security company that’s been around since 2001. We don’t do anything other than security so our whole focus is clear. You can learn more about MATTA. Threat Condition has known the guys at Matta for a long time and we have selected them as a provider of excellent (and easy to use) security solutions.
We have used our decades of experience in the security space to bring you the best technical trade-off possible. Yes, safepass.me needs to run as SYSTEM on the most trusted part of your infrastructure… but we have taken every step possible to make this as secure as we could.
Like most of our competitors, we understand and have deployed the following: * A sound technical architecture; everything is self-contained and runs offline, we leverage the standard APIs and system facilities as appropriate. * The attack surface of our software is minimal: our code runs only when you are changing a password (no service, no background resource usage)! * Our code is signed and doesn’t “auto-update”. You remain in control. ASLR, DEP, SafeSEH exploit mitigations are enabled on all the relevant code
How can I check that it works?
Once installed, after having rebooted, try to change the guest user’s password using the following commands in an elevated command prompt:
net user guest "MattaPassword123!"
This specific password will probably pass the other checks you might be enforcing… but will be blocked by safepass.me.
My trial ran out, Where can I get the license?
That’s easy, just fill out this form. Your order will be processed and license sent to you.
Can I use my own dictionary / add more blacklisted passwords?
Since version 0.0.5 yes you can! The custom wordlist is located in c:\windows\system32\safepassme\wordlist.txt and should contain one word per line. safepass.me expects the file to be UTF-8 encoded and does a fuzzy matching against it.
The current fuzzy matching algorithm is based on a case insensitive Damerau-Levenshtein distance calculation. If less than three permutations are required to “match” a word from the list, the attempt will be blocked.
Can I add additional complexity requirements and/or use other password filters?
Yes you can. Password policies are additive and if you are already using a password filter from one of our competitors, nothing prevents you from enforcing additional checks using ours. Give it a try! Our software will even log to the windows event log whether each password change attempt was authorized or not.
What are the current security best practices for password policies
- When it comes to passwords, length is what matters most. Educate your users to pick a long passphrase or a sequence of a few random words rather than a password. Aim for “at least 8 characters” but forget about special and weird characters. Pick a ‘passphrase’ rather than a password. Passphrases are easier for users to remember, but very hard for computers to guess.
- Do not enforce frequent, uncalled for, password changes. Once a long, secure password has been chosen, it is counter-productive to ask the user to change it on a regular basis, unless it is suspected that it has been compromised. Your users will welcome this change and will be more inclined on picking one long and strong password once and for all!
- Do ensure that you deter online brute-force attempts by configuring an account lockout policy
- Last but not least, you should make sure the password isn’t in one of the publicly leaked databases and this is why you should be using safepass.me!
The new password guidelines can be found below: Password Guidance from NCSC (specific guidance regarding password expiry) Password Guidance from NIST (full version on NIST: Special Publication 800-63) Password Guidance from Microsoft
How would you configure it in terms of GPO ?
This is the template we recommend you configure on your domain: It can be improved upon depending on your risk appetite and compliance requirements.
In The Group Policy Management Editor find. Default Domain Policy -> Computer Configuration -> Policies ->Windows Settings -> Security Settings->Account Policies->Password Policy, set the values to:
- Enforce password history: 0 passwords remembered
- Maximium password age: 0
- Minimum password age: 0 days
- Minimum password length: 8 characters
- Password must meet complexity requirements: Disabled
- Store passwords using reversible encryption: Disabled
In The Group Policy Management Editor find. Default Domain Policy -> Computer Configuration -> Policies ->Windows Settings -> Security Settings->Account Policies->Account Lockout Policy, set the values to:
- Account lockout duration: 0
- Account Lockout threshold: 10 invalid logon attempts
- Reset account lockout counter after: 30 minutes
Is it compatible with Azure Active Directory Connect?
Yes, provided you use password writeback. Instructions on how to do it can be found at : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
How do you deploy the license file?
We provide our Enterprise customers with a license file that enables them to use their entitlement offline. Like everything else, we have tried to make it as simple as possible: Copy the file we have provided into the following folder:
%System32%\safepassme\safepassme.lic (usually this is C:\Windows\System32\safepassme\safepassme.lic)
It will be picked up by the software upon reboot or in the next few hours. Where possible, it’s best to deploy it right after installing the software (and just before rebooting).
Where can I find the documentation?
The latest documentation can be found here.