Problems with normalization
Boeing737-8 opened this issue · 2 comments
Hi! We have a 2019 DC.
We added a banned word 'aA123456' to the list with add-bannedword and enabled the normalization for banned words in the group policy.
If we test test-isbannedword '@ A123456' we get false.
If the @ is not used at the beginning of the word the normalization works as expected and returns true.
Also we try to use normalization in compromised passwords, but these fully not work (filter only compromised passwords).
Hi @Boeing737-8
When words are added to the banned word store, they are normalized first. So aA123456 will get saved as aa
You can see the normalization algorithm here which may help better understand what is going on.
https://docs.lithnet.io/password-protection/advanced-help/normalization-rules
Leading symbols and numbers are stripped first, and only then are character substitutions performed. So your @ symbol in the second example is being stripped off, as well as the trailing numbers, leaving only a as the banned word being checked.
I hope that helps explain what is going on there.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.