Continuous Password Monitoring (formally known as Continuous Password Protection) is a process in which Enzoic will evaluate all cached passwords against our database daily. This feature is enabled through the checkbox in the console within the Password Changes tab in the Monitored Policies settings.
Enzoic for Active Directory carries out this check every day to ensure that even passwords that were strong when created remain secure over time. The philosophy is that just because a password is strong today, does not mean that it'll be strong tomorrow.
Continuous Password Monitoring works by storing and hashing a user’s password locally on the DC. Enzoic then takes the first 10 characters of each of these hashes and sends them to our backend database. From there, Enzoic will send all possible matches back to the Delegate DC and compare the full hash locally on the machine. If a password matches to a value that’s compromised, the admin is sent a notification email, and the remediation process that the user is in kicks off. If no match is found, the user’s password is still good, and the process repeats the next day.
A few things to consider with Continuous Password Monitoring:
1. For this process to function properly users must reset their password after Enzoic is installed (on all read/write DC's) so that the new password to be picked up and cached.
2. CPM checks a user’s password against both the backend and the policy enforcement settings set within the monitored user policy that they are in. This means that if you move users into different policies, their password may come back compromised. Not necessarily because it's compromised, but because it potentially violates a policy setting.
3. This process is the same for credentials monitoring as well. The only difference is that the daily check is searching our credential pairs database, looking specifically for email/username and password pairs.