How Does a Blocked Password List Affect Existing Passwords?

If you have a list of users with known weak passwords, I’d recommend forcing a password change for them once the policy is activated. Best practice is to reset everyone’s password when rolling out a new policy like this. From my experience, implementing robust password policies also helps to ensure stronger passwords moving forward.

Yeah, we implemented a similar policy a couple of years ago and ran into the same thing. The banned list doesn’t retroactively affect current passwords; it’s primarily in place for when someone is setting or changing their password. So if someone has a weak password, it won't automatically change just because you added it to the blocked list. Just make sure to enforce that password reset as you mentioned.

Password policies really only kick in when users try to change their passwords. So, if you add something like "Password12345" to your blocked list, it won’t affect users who are already using that password. Your current password users won’t face any issues until they attempt to change it, which you already plan to enforce, so they'll update to stronger passwords effectively.

Some tools can help you check Active Directory for password hashes and compare them against your blocked list to identify users that need their passwords reset. For instance, the Knowbe4 Weak Password Test tool is pretty handy for this.