v0.1.0

First public release of PasswordFilterDLL — a defensive LSA password filter for Active Directory, in C++.

Features

• Compromised-password blocking, offline against the HIBP "Pwned Passwords" corpus via a compact Bloom filter (~2 GB at 0.1% FP for ~1.3B hashes) — no runtime network access.
• Custom complexity rules: length, character classes, keyboard walks, sequences, repeats, account-name and full-name containment.
• Company blacklist + brand-term substring matching.
• Event Log logging of rejections — metadata only, never the password.
• GPO-friendly deployment: registry/ADMX config, install/uninstall/test scripts.

Architecture

Pure, unit-tested C++17 core (no Windows dependency) + a thin, fail-safe LSASS shim. 46 tests green in CI; cross-language Bloom-format parity verified between the C++ reader and the Python builder.

Validation

• Filter logic validated working on a real Windows host.
• LSA Protection (RunAsPPL): on hardened hosts, a protected LSASS refuses unsigned plug-ins (error 577) — the DLL must be code-signed there. Unsigned builds load on hosts without LSA Protection. See SECURITY.md.

Artifact

PasswordFilterDLL.dll (x64, Release) is UNSIGNED — build/sign from source for production. Build the breach Bloom artifact offline with scripts/build_bloom.py. See docs/DEPLOYMENT.md.

Test only on a non-production lab Domain Controller. This runs inside LSASS.