Checking for banned passwords via an external password server

Christopher Dakin

The Banned Passwords feature of LogonBox has a default set of 100,000 most commonly used passwords that it checks against.

You can also import your own lists of passwords to the dictionary stored on LogonBox (see https://docs.logonbox.com/app/manpage/agent/article/2397490)

This article however will show how you can tell LogonBox to make a callout to an external password checking server.

 

Pre-requisites

A third party password server that can accept calls to a specific URL containing the password you want to check and will respond with a result regarding this password being present or not.

 

Configuring an external Password Check

In the Business Rules section, navigate to Banned Passwords->Settings.

Turn on the Ban words via HTTP API Call option, this reveals all of the settings for this feature.

Our example password server here will take a simple GET request such as this: https://192.168.2.139:8080/api/BannedPassword/table?search=password and return a JSON result containing success or failure.

 

This is an unauthenticated GET request so we can leave Authentication set to None and Request Method as GET.

In the URL we strip off the search parameter, leaving: https://192.168.2.139:8080/api/BannedPassword/table

For Variables, click the + icon, then we enter the parameter in the left side (in this example, this is search) and in the right side, type in ${word} (this is a replacement value which will contain the password to be checked).

 

In Response Status Code, type in 200, then press enter or click the + to add this to the listbox.

In this example, the server will return a JSON result such as:

{
"success" : true,
"message" : "password",
"result" : null,
"total" : 0,
"template" : null
}

 

So we need to enter a regular expression that matches the success result, therefore we can type the following into the Response Content."success" : true.

Click Apply to save the changes.

 

Now every time a user resets their password, LogonBox will check both its local dictionary as well as make an external call to the password server to check for validity.

If you wish to only make external checks, you can turn off the built-in checks from the Banned Passwords tab, turn off Ban words in Built-in list.