Frequently Asked Questions

We’ve collated answers to the most common ones we’re asked here, split for ease of reference. If you have a question that isn’t answered here, please contact us.

About Safepass.me®

Why Safepass.me®?
  • Built With Security in mind. All our code is triple checked for safe memory management from the same consultants that have been performing source code audits for over a decade.
  • Easy to Install and Maintain. Safepass.me® is the enterprise-ready software that you can install in under three minutes and forget about. Really!
  • Personal Customer Care. We care for each and every one of our clients and we’ll always be available if you have any questions or need extra support.
  • Fast and Efficient. We’ve built Safepass.me® with the smartest algorithms and a hint of AI to ensure maximum efficiency and reliability of operations.
  • Offline. Safepass.me® operates offline. There’s no need to send hashes or anything else to us to secure your passwords.
  • Cost-effective. Safepass.me® doesn’t come with a hefty price tag like you’re used to.
  • 0-configuration. Unlike other products, after installing Safepass.me® in under three minutes there is no configuration required, no need to import databases or mess around with scripts. It will simply start protecting your organisation. Safepass.me® comes pre-configured with smart defaults so you don’t need to worry about anything else!
How Many Passwords Do You Check Against?

Safepass.me® checks against over half a billion passwords. We use an optimised superset of the HaveIBeenPwned database.

Can I Add My Own Wordlist?

We’ve supported wordlists since version 0.0.5. The custom wordlist is located in c:\windows\system32\safepassme\config\wordlist.txt and should contain one word per line. Safepass.me® expects the file to be UTF-8 encoded and does fuzzy matching against it.

Can I Audit My AD For Pwned Passwords With Safepass.me®?

Yes! Enterprise customers with a valid subscription get unlimited access to pwncheck® for their domains.

How Can I Get A trial?

Sure, just contact us and we’ll arrange a free 14-day evaluation.

What Do I Need To Install Safepass.me?

Administrative credentials are needed to install Safepass.me® on a Domain controller. It should work on all x64 Windows versions (and has been tested on all Windows Server editions from 2008 up to 2019 Core Edition).

It should be installed on all Domain Controllers (except read-only ones), but can be tested on a non-domain joined workstation.

What Happens When The Trial Period Ends?

Nothing. Safepass.me® will just stop enforcing strong passwords and will let you know that this is the case by logging an error message in the Windows event log.

How Can I Avoid Handling Stolen Passwords?

On one governments recommend checking accounts against lists of compromised passwords. On the other hand many countries’ laws discourage obtaining and storing the data required to allow it.

We (Matta Consulting Ltd), as a company that has been providing Incident Response and Security Services for almost two decades now, have a clear need to source, store and process such data, but you do not. This is why we developed a solution to fulfil the requirement, following security best practices and shield your business from potential legal hurdles.

Safepass.me® uses a proprietary, binary “processed” representation of the compromised data-set that cannot be reverse-engineered nor used to assist in the commission of an offence.

Technical Questions

Where Can I Find The Documentation?

The Getting Started page has everything you need to get started, including the manual.

How Do I Know It’s Working?

Once installed and after the initial reboot, try to change the guest user’s password using the following commands in an elevated command prompt:

net user guest "Password123!"

This specific password will probably pass the other checks you might be enforcing but will be blocked by Safepass.me®.

You should also see Safepass.me specific events in the Windows Event Log whenever a pwned password is blocked.

Is Safepass.me Compatible With Azure Active Directory Connect?

Yes, provided you use password writeback. Instructions on how to do this can be found at: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback

Does Safepass.me Work With Additional LSA Protection?

Additional LSA Protection has been supported since version 5.1.1 it is fully compatible. Instructions on how to turn it on can be found at: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

How Does Fuzzy Matching Secure My Passwords?

The current fuzzy matching algorithm is based on a case insensitive Damerau-Levenshtein distance calculation. If less than three permutations are required to “match” a word from the list, the attempt will be blocked.

Can I Add Password Complexity Requirements?

Yes you can. Password policies are additive and even if you are already using a password filter nothing prevents you from enforcing additional checks using ours.

How Do I Deploy An Offline Licence File?

Most of our customers will use the built-in, convenient and automatic, online licensing scheme and will not require an offline licence file. For those who do run environments where their Domain Controllers do not have internet access, we can provide a licence file that enables them to use their entitlement fully offline. Like everything else, we have tried to make it as simple as possible: copy the file we have provided into the following folder:

%System32%\safepassme\config\safepassme.lic

(usually this is C:\Windows\System32\safepassme\config\safepassme.lic)

It will be picked up by the software upon reboot or in the next few hours. Where possible, it’s best to deploy it right after installing the software (and just before rebooting).