NIST and some other compliance guidance has suggested that you check all new passwords against a "corpus" of breached internet passwords. That is a fancy way of saying that you should not allow passwords on your network that have been breached.
While there are many online sites that contain lists of breached passwords (sometimes in plain text and sometimes encrypted), perhaps one of the best-known sources is the HIBP website. It contains a comprehensive file of breached passwords in a hashed format. As of this writing, the file contains 847 million breached passwords.
nFront Password Filter allows you to check against the HIPB file of breached passowrds locally or via their API. The local file is quite large and will take up about 35 GB of disk space. The nFront product can check the file in 60 milliseconds or less. It is amazing to think that in less than 60 milliseconds, the system can check the new passord against 847 million breached passwords. If you use the HIPB API, the system makes a call to the HIBP website and provides the first 5 digits of the SHA1 hash. The website returns any hashes that match the first 5 digits. It may return zero entries or thousands. In any case, it will be a much smaller group to parse. In our experience the website returns the data in less than 1/2 second. However, there is a 5 second timer built into the software to move on with other filtering if we have not received a response in that time. If this occurs, the nFront system will log to an errors file in the system32\logfiles folder.
This is a good idea. However, we suggest you do not make this your only strategy. Many of the breached internet passwords were discovered from non-corporate sites. In other words, passwords compromised from sites like Myspace or LinkedIn were likely not intended to be strong passwords and may not have even met basic criteria like Windows complexity. You want to make sure you block passwords that contain your company name and terms specific to your products, brands, industry, and locations. Often that localized knowledge is used to compose simple passwords. For example, in Atlanta there are many football fans who pull for the local Atlanta Falcons football team. A password like "Falcons2020" should not be allowed on the network. Please follow this link to learn more about how to use the easily customized dictionary included with nFront Password Filter.