Yes. nFront Password Filter can check against breached passwords using the HIBP database of breached passwords (approximately 847 million breached passwords). You can configure it to check locally using a file or via the HIBP API. If you use the file option, you must download the file of SHA1 hashes and it expands to about 40GB. The file will need to be local to each DC so you must plan for disk space. It takes only 60 milliseconds to checkt the file. If you opt to use the HIBP API, it usually returns in less than half a second. The full hash is never sent over the network (only the first 5 digits).

Yes, Yes and Yes. We have many worldwide deployments using BMC Control SA or Passport. We also have many healthcare providers running PSynch and Courion. In all cases, the BMC, PSynch and Courion do not provide native password filtering (only filtering if you change passwords via their web page). Thus, their password filtering rules can be bypassed.

The default dictionary (6,500 words) takes about 2 milliseconds to process. Most servers will process around 5 million words per second. So in less than one second nFront Password Filter can check a user's proposed new password against over 5 million common passwords.

Yes. All group policies will appear in English. If you are using dictionary checking the dictionary file may be saved in an ANSI, Unicode or UTF-8 formats. The later formats supports characters from all languages. The optional client currently provides messages in English, German, French, Italian and Spanish.

Yes.  You still configure a single GPO to control nFront Password Filter.  However, within each policy you can specify multiple OU paths to include or exclude.  You can also include and exclude groups.

Yes. You can apply a policy to one security group and the policy will apply to users who are members of that group and any groups nested inside of that group.

No.

No.