Enzoic for Active Directory registers a Microsoft standard Password Filter. This filter is used to gate user password changes and check candidate passwords against a continuously updated cloud database of exposed passwords using a partial hash based comparison.

When a user password change is received by the LSA, it notifies Enzoic’s Password Filter DLL. The Enzoic Service connects via HTTPS to the Enzoic Cloud API to check a partial hash of the new password. If the password is identified as compromised, it is rejected. If the password is not compromised, the password change operation is allowed to proceed.