word image 2

Pwncheck 1.0.34 and a database update for safepass.me v8.0.5

| | ,

We’re delighted to announce the latest release of pwncheck 1.0.34 – the fastest and safest way to find users with pwned passwords on your Active Directory network, offline and without sending your hashes to the cloud.

As always, we recommend that all our users upgrade to the latest version.

The purpose of this release is to bring both pwncheck and safepass.me inline with the latest version of Troy Hunt’s Have I Been Pwned database, while our next major feature release is being polished. The number of unique breached passwords we now check against is over 1.28 billion.

As always, we recommend that you run pwncheck to ensure that none of your Active Directory users are currently using a compromised password, that would likely be present in credential stuffing and password spraying lists used by attackers.

We have also made minor updates to both the pwncheck documentation and safepass.me documentation to reflect recent changes regarding the enhanced database and clarified that we do support our product when you run Windows Server 2025 and document the newly introduced pwncheck feature enabling cross-report (and cross-domains) audits. Thank you for your feedback, it is always appreciated.

To update your safepass.me database, provided that you are using v8.0.5, you can use the following powershell script: It will download locally the new database, verify its integrity and duplicate it onto all your domain controllers.

#Requires -Version 5
#Stop on error
$ErrorActionPreference = "Stop"
#speedup Invoke-WebRequest
$ProgressPreference = "SilentlyContinue"
 
# download the database
$DbFiles = @(
	@{
		DownloadUrl	= "https://downloads.safepass.me/support/HIBPv12-extra.dat"
		FileName	= "HIBPv8.dat"
		FileHash	= "362A471FE4B96F8416A01B0745E0502FC7DAE24C331A72FF3F111DC995FCA0EF"
	}
)

$CWD = $PSScriptRoot
if ($CWD -eq '') {
	$CWD = Get-Location
}

ForEach ($DbFile in $DbFiles) {
	$DbFile.FilePath = Join-Path -Path $CWD -ChildPath $DbFile.FileName

	If ( !(Test-Path $DbFile.FilePath) -or ((Get-FileHash -Algorithm SHA256 $DbFile.FilePath).Hash -ne $DbFile.FileHash) ) {
		Invoke-WebRequest -Uri $DbFile.DownloadUrl -OutFile $DbFile.FilePath -Verbose
		If ((Get-FileHash -Algorithm SHA256 $DbFile.FilePath).Hash -ne $DbFile.FileHash) {
			Write-Error "Error downloading $(Split-Path $DbFile.DownloadUrl -Leaf)"
		}
	}
	Else {
		Write-Host "File $FileName already exists with correct hash, so skipping download" -ForegroundColor Green
	}
}

# upload it to the DCs
$tmpfile = New-TemporaryFile
Get-ADDomainController -Filter * | ForEach-Object {
    Write-host "Performing actions on $($_)"
    $DestPath = "\\$_\C$\windows\system32\safepassme"
    ForEach ($DbFile in $DbFiles) {
        If (Test-Path $DestPath) {
            Copy-Item -Path $DbFile.FilePath -Destination (Join-Path -Path $DestPath -ChildPath $tmpfile.Name) -Verbose
            Move-Item -Path (Join-Path -Path $DestPath -ChildPath $tmpfile.Name) -Destination (Join-Path -Path $DestPath -ChildPath $DbFile.FileName) -Confirm:$false -Force:$true

            $oldDB = Join-Path -Path $DestPath -ChildPath HIBPv8-extra.dat
            If (Test-Path $oldDB) {
                Remove-Item -Path $oldDB -Confirm:$false
            }
        }
        Else {
            Write-Error "SafePass does not appear to be installed on $_ since folder '$DestPath' not found"
        }
    }
}
$tmpfile.delete()

ForEach ($DbFile in $DbFiles) {
	Remove-Item $DbFile.FilePath -Confirm:$True
}

Please note that this script will replace the existing ‘HIBPv8.dat’ database and will delete any ‘HIBPv8-extra.dat’ file. You can safely dispose of any previous dat file that you may have deployed.

Thank you for using our products!