What is safepass.me?
safepass.me is currently the only fully-offline, efficient and cost-effective solution for Active Directory users to fulfill the new official password guidelines and prevent users from setting a compromised password (a password found in any of the breached database that have leaked online - eg LinkedIn, Adobe, Dropbox, etc).
The consensus from the security community has shifted and the former password complexity requirements are now deemed counter-productive. Forcing users to pick "strong" passwords and rotating them means that they will pick predictable patterns that will be easily guessed by an attacker.
safepass.me uses AI algorithms to efficiently determine whether the new password the user has picked belongs to the known-bad lists (these are compromised databases of various sizes that have leaked into the public domain).
Being security professionals and unlike most of our competitors, we do not feel like sending your passwords to an online service is an acceptable solution... so everything happens offline, like it should.
How many passwords does safepass.me check against?
Currently approximately 501M passwords. We leverage an improved upon version of the HaveIBeenPwned dataset (30GB of data).
Is there any potential legal implications with hosting or using a database of compromised passwords ?
This is clearly a grey area of the law... On one hand you have guidances (including from the government) suggesting that you should check whether your users are using compromised passwords ... and on the other you have numerous laws (in the UK this would be the section 3A of the Computer Missuse Act and GDPR) discouraging you from obtaining and storing the data required to allow it.
We (Matta Consulting Ltd), as a company that has been providing Incident Response and Security Services for almost two decades now, have a clear need to source, store and process such data... but you do not. This is why we have developed a unique solution to fulfill the requirement, follow the security best practices and shield your business from potential legal hurdles.
safepass.me uses a proprietary, binary "processed" representation of the compromised data-set that cannot be reverse-engineered nor used to assist in the commission of an offence under the CMA. Gigabytes of data have been compressed into a ~376MB package.
What do I need to install safepass.me?
Nothing special except administrative credentials. safepass.me should work on all x64 windows versions (and has been tested on all Windows Server editions from 2003r2 up to 2016 Core Edition).
It ought to be installed on all Domain Controllers (except read-only ones), but you can also install it on a non-domain joined workstation to try it out first.
Can I try it?
Sure, you can get a 14-day trial of safepass.me. It is packaged in a 376MB MSI file. We have made the install process as straightforward as possible but if you have any feedback on how to make it even easier, we are eager to hear from you.
Why should I trust it?
It's been written by the guys at Matta Consulting Ltd, a UK cyber security company that's been around since 2001. We don't do anything other than security so our whole focus is clear. You can learn more about MATTA.
We have used our decades of experience in the security space to bring you the best technical trade-off possible. Yes, safepass.me needs to run as SYSTEM on the most trusted part of your infrastructure... but we have taken every step possible to make this as secure as we could.
Unlike most of our competitors, we understand and have deployed the following:
- A sound technical architecture; everything is self-contained and runs offline, we leverage the standard APIs and system facilities as appropriate.
- The attack surface of our software is minimal: our code runs only when you are changing a password (no service, no background resource usage)!
- Our code is signed and doesn't "auto-update". You remain in control.
- ASLR, DEP, SafeSEH exploit mitigations are enabled on all the relevant code
How can I check that it works?
Once installed, after having rebooted, try to change the guest user's password using the following commands in an elevated command prompt:
net user guest "MattaPassword123!"
This specific password will probably pass the other checks you might be enforcing... but will be blocked by safepass.me.
What happens when the trial license expires?
Nothing. safepass.me will just stop enforcing strong passwords... and will let you know that this is the case by logging an error message in the Windows event log.
It's amazing but my trial ran out. Where can I get a license?
Can I bring my own dictionary?
Since version 0.0.5 yes you can! The custom wordlist is located in c:\windows\system32\safepassme\wordlist.txt and should contain one word per line. safepass.me expects the file to be UTF-8 encoded and does a fuzzy matching against it.
The current fuzzy matching algorithm is based on a case insensitive Damerau-Levenshtein distance calculation. If less than three permutations are required to "match" a word from the list, the attempt will be blocked.
Can I add additional complexity requirements and/or use other password filters with safepass.me?
Yes you can. Password policies are additive and if you are already using a password filter from one of our competitors, nothing prevents you from enforcing additional checks using ours. Give it a try! Our software will even log to the windows event log whether each password change attempt was authorized or not.
What are the current security best practices regarding password policies?
- When it comes to passwords, length is what matters most. Educate your users to pick a long passphrase or a sequence of a few random words rather than a password. Aim for "at least 8 characters" but forget about special and weird characters. Pick a 'passphrase' rather than a password.
- Do not enforce frequent, uncalled for, password changes. Once a long, secure password has been chosen, it is counter-productive to ask the user to change it on a regular basis, unless it is suspected that it has been compromised. Your users will welcome this change and will be more inclined on picking one long and strong password once and for all!
- Do ensure that you deter online brute-force attempts by configuring an account lockout policy
- Last but not least, you should make sure the password isn't in one of the publicly leaked databases and this is why you should be using safepass.me!
The new password guidelines can be found below:
Password Guidance from NCSC (specific guidance regarding password expiry)
Password Guidance from NIST (full version on NIST: Special Publication 800-63)
Password Guidance from Microsoft
How would you configure it in terms of GPO ?
This is the template we recommend you configure on your domain: It can be improved upon depending on your risk appetite and compliance requirements.
Is it compatible with Azure Active Directory Connect ?
Yes, provided you use password writeback. Instructions on how to do it can be found at : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-writeback
How do you deploy the license file ?
We provide our Enterprise customers with a license file that enables them to use their entitlement offline. Like everything else, we have tried to make it as simple as possible: Copy the file we have provided into the following folder:
%System32%\safepassme\safepassme.lic (usually this is C:\Windows\System32\safepassme\safepassme.lic)
It will be picked up by the software upon reboot or in the next few hours. Where possible, it's best to deploy it right after installing the software (and just before rebooting).
How can I contact you ?
We can be reached using this form where will be delighted to answer your questions. We offer discounts to non-profits and EDU customers, and have MSP offerings... for details, just drop us a line!