1243

How to check for compromised passwords in MDaemon

MDaemon can check a user's password against a compromised password list from have i been pwned using their list of Pwned Passwords.  This is done without transmitting the password to the service.  If a user's password is present on the list it does not mean the account has been hacked, rather that the password has been used before and has appeared in a data breach.  Published passwords may be used by hackers in dictionary (brute force) attacks.  Unique passwords that have never been used anywhere else are more secure.

This feature was first made available in MDaemon version 20.

  1. Select Accounts menu
  2. Select Account Settings
  3. Expand Other menu
  4. Select Passwords
  5. Check Do not allow passwords found in third-party compromised passwords list
  6. (Optional) Enter the number of days to query the password on login and send the warning email when/if a user password is found on the list.
    • The warning emails can be customized by editing message template files in the \MDaemon\App folder.
      • If passwords are stored in MDaemon, edit the CompromisedPasswordMD.dat file.
      • If passwords are verified through Active Directory, us the CompromisedPasswordAD.dat file.
    • Macros can be used to personalize the message, change the subject, change the recipients, etc...