safepass.me is currently the only fully-offline, efficient and cost-effective solution for Active Directory users to fulfill the new official password guidelines and prevent users from setting a compromised password (a password found in any of the breached database that have leaked online - eg LinkedIn, Adobe, Dropbox, etc).
The consensus from the security community has shifted and the former password complexity requirements are now deemed counter-productive. Forcing users to pick “strong” passwords and rotating them means that they will pick predictable patterns that will be easily guessed by an attacker.
safepass.me uses AI algorithms to efficiently determine whether the new password the user has picked belongs to the known-bad lists (these are compromised databases of various sizes that have leaked into the public domain).
Being security professionals and unlike most of our competitors, we do not feel like sending your passwords to an online service is an acceptable solution… so everything happens offline, like it should.
Currently approximately 551M passwords. We leverage an improved upon version of the HaveIBeenPwned dataset (30GB of data).
This is clearly a grey area of the law… On one hand you have guidances (including from the government) suggesting that you should check whether your users are using compromised passwords … and on the other you have numerous laws (in the UK this would be the section 3A of the Computer Missuse Act and GDPR) discouraging you from obtaining and storing the data required to allow it.
We (Matta Consulting Ltd), as a company that has been providing Incident Response and Security Services for almost two decades now, have a clear need to source, store and process such data… but you do not. This is why we have developed a unique solution to fulfill the requirement, follow the security best practices and shield your business from potential legal hurdles.
safepass.me uses a proprietary, binary “processed” representation of the compromised data-set that cannot be reverse-engineered nor used to assist in the commission of an offence under the CMA. Gigabytes of data have been compressed into a ~376MB package.
Nothing special except administrative credentials. safepass.me should work on all x64 windows versions (and has been tested on all Windows Server editions from 2003r2 up to 2016 Core Edition).
It ought to be installed on all Domain Controllers (except read-only ones), but you can also install it on a non-domain joined workstation to try it out first.
Sure, you can get a 14-day trial of safepass.me. It is packaged in a 376MB MSI file. We have made the install process as straightforward as possible but if you have any feedback on how to make it even easier, we are eager to hear from you.
It’s been written by the guys at Matta Consulting Ltd, a UK cyber security company that’s been around since 2001. We don’t do anything other than security so our whole focus is clear. You can learn more about MATTA.
We have used our decades of experience in the security space to bring you the best technical trade-off possible. Yes, safepass.me needs to run as SYSTEM on the most trusted part of your infrastructure… but we have taken every step possible to make this as secure as we could.
Unlike most of our competitors, we understand and have deployed the following:
Once installed, after having rebooted, try to change the guest user’s password using the following commands in an elevated command prompt:
net user guest "MattaPassword123!"
This specific password will probably pass the other checks you might be enforcing… but will be blocked by safepass.me.
Nothing. safepass.me will just stop enforcing strong passwords… and will let you know that this is the case by logging an error message in the Windows event log.
Since version 0.0.5 yes you can! The custom wordlist is located in c:\windows\system32\safepassme\wordlist.txt and should contain one word per line. safepass.me expects the file to be UTF-8 encoded and does a fuzzy matching against it.
The current fuzzy matching algorithm is based on a case insensitive Damerau-Levenshtein distance calculation. If less than three permutations are required to “match” a word from the list, the attempt will be blocked.
Yes you can. Password policies are additive and if you are already using a password filter from one of our competitors, nothing prevents you from enforcing additional checks using ours. Give it a try! Our software will even log to the windows event log whether each password change attempt was authorized or not.
The new password guidelines can be found below: Password Guidance from NCSC (specific guidance regarding password expiry) Password Guidance from NIST (full version on NIST: Special Publication 800-63) Password Guidance from Microsoft
This is the template we recommend you configure on your domain: It can be improved upon depending on your risk appetite and compliance requirements.
Yes, provided you use password writeback. Instructions on how to do it can be found at : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
We provide our Enterprise customers with a license file that enables them to use their entitlement offline. Like everything else, we have tried to make it as simple as possible: Copy the file we have provided into the following folder:
%System32%\safepassme\safepassme.lic (usually this is C:\Windows\System32\safepassme\safepassme.lic)
It will be picked up by the software upon reboot or in the next few hours. Where possible, it’s best to deploy it right after installing the software (and just before rebooting).
The latest documentation can be found here.
We can be reached using this form where will be delighted to answer your questions. We offer discounts to non-profits and EDU customers, and have MSP offerings… for details, just drop us a line!