1. Knowledge Base
  2. MDaemon® Email Server

How do I check for compromised passwords in MDaemon Email?

MDaemon Email can check a user's password against a compromised password list, without transmitting the password to the service. 

MDaemon Email can check a user's password against a compromised password list from have i been pwned using their list of Pwned Passwords. This is done without transmitting the password to the service. If a user's password is present on the list it does not mean the account has been hacked, rather that the password has been used before and has appeared in a data breach.  Published passwords may be used by hackers in dictionary (brute force) attacks. Unique passwords that have never been used anywhere else are more secure.

This feature is available in MDaemon Email version 20 and above.

To prohibit users from using compromised passwords, 

  1. Select Accounts menu
  2. Select Account Settings
  3. Expand Other menu
  4. Select Passwords
  5. Check Do not allow passwords found in third-party compromised passwords list
  6. (Optional) Enter the number of days to query the password on login and send the warning email when/if a user password is found on the list.
    • The warning emails can be customized by editing message template files in the \MDaemon\App folder.
      • If passwords are stored in MDaemon, edit the CompromisedPasswordMD.dat file.
      • If passwords are verified through Active Directory, use the CompromisedPasswordAD.dat file.
    • Macros can be used to personalize the message, change the subject, change the recipients, etc...