Ability to enforce a longer password minimum
The built-in Windows domain password policy is very limited. Using the Windows domain password policy, the longest minimum length password you can set is 14 characters. Anyone in IT security knows there is a big difference between passwords less than 14 characters and passwords longer than 14 characters. When a password is 14 characters or less the OS stores the password in 2 formats. One is the weaker Lanman Hash and it is subject to Rainbow Table password crackers. Rainbow Table password crackers can by used to quickly crack nearly any password that is 14 characters or less in a matter of minutes. Many customers approach us for the primary reason of forcing Domain Admins to use 15 characters or more. nFront Password Filter lets you require a much longer minimum length and you can apply the longer length rquirement to select groups or OUs if you prefer. Ideally you would prefer to have all users using 15 characters or more but if that is not Sometimes they are able to push more privileged users to a 15 character minimum as well.
The Windows built-in domain password policy
Windows Server 2016 and 2019 allow you to change the minimum up to 20 but it does not work! Once you go to 15 or more it reverts to the prior password policy settings. You can watch this youtube video to learn more.
Prevent common dictionary words / dictionary blacklistingOne of the most common requests we hear from our clients is the need and want to prevent common dictionary words like "Password," "Summer," and "Football." Moreover, clients specifically want to prevent their company's name from being used as a password. With Microsoft's Password Policy for Windows Active Directory, there are not any settings to prevent certain words. This feature is commonly known as password blacklisting and dictionary checking.
With the nFront Password Filter, clients are have the ability to create a customized dictionary file which will prevent any word included from being in an end-user's password. The software comes with a comprehensive 27,000 word dictionary. Because the software blocks passwords that contain a word from the dictionary you do not have to worry about brainstorming variations like "summer1", "summer123", "summer!", etc. Simply put "summer" in the dictionary and any password containing summer will be blocked. In fact, there is a character substitution feature that will automatically check for variations of the dictionary word using common substitutions like "$ummer" and "$umm3r", etc.
Check against breached passwords
Some security frameworks suggest you check new passwords against a list of known breached passwords. The de facto standard for doing this is to check against the HIBP (Have I Been Pwned) list of breached password hashes. Our password filter can support this by checking against a local file of hashes or by directly calling the HIBP API.
If you elect to check a local file, you will need to download the file of SHA1 password hashes from the HIBP website. The file is updated about twice per year and currently contains over 700 million breached password hashes. Once it is unzipped, it is about 24GB in size. Our filter can check this file in about 60 milliseconds. It is amazing to think that in 60 milliseconds a user's new password can be checked against over 700 million passwords that have been breached.
If you prefer not to host the file locally on each DC, then you can use the option to check the HIBP API. In this case, the entire password hash is never transmitted over the network, only the first 5 digits. The HIBP site will respond back with a list of any hashes that match the first 5 digits and we can scan the list of see if the hash matches any on the list. This check happens quickly and usually less than one second.
Better Password Change Experience
Many times we have heard that IT Administrators want to enforce a more secure password policy, but they are afraid of the end-user pushback for not understanding why a new password they select is not compliant with the company's password policy. With the nFront Client, a part of the nFront Password Filter, end-users are able to see specifically why their password change was not successful. For example, if the word "Password" is in the company's dictionary file for password blacklisting and the end-user enters "Password1" as their new password, the nFront Client will display a message that states the password failed due to the dictionary word "Password." Our clients feel relieved, as this will reduce help desk calls and end-user pushback.
Enforce Multiple Password Policies in one domain
Using the nFront Password Filter Multiple Policy Edition provides the ability to have up to six password policies that are linked to Groups or OUs. Most commonly, our client have expressed the need to have a different password policy for their standard accounts (employees), privileged accounts (IT department), and service accounts. Furthermore, many colleges and universities have also expressed the need for multiple password policies so that their faculty and staff has one policy, and their students have a different password policy. This problem is solved with the use of the nFront Password Filter Multiple Policy Edition. At nFront, we recommend using multiple password policies to ensure that accounts with privileged information have a more secure password policy requirements than standard accounts.
Some of our clients have realized that passphrases are more user friendly than passwords in terms of memorization. Unfortunately, Microsoft's Password Complexity feature does not have the ability to require spaces in passwords. Many IT Administrators are afraid of creating a complex password policy and the increase in help desk calls. With the nFront Password Filter, our clients have been relieved with the password policy setting to require spaces. The policy setting allows for a minimum number of spaces as well. Furthermore, the nFront Password Filter has so many unique features where password over a certain character length have the ability to skip dictionary checking. With this option, our clients are more comfortable with allowing passphrases since easier words can be used for longer passwords.
Require spaces to enforce passphrases
Enforce your written policy
Many times, companies have a written password policy that employees sign yearly or at the start of their employment with the company. The written password policy is there to be followed; however, there is no way to effectively enforce the password policy when Microsoft does not provide the capability to do so. With the nFront Password Filter, we are able to solve this problem. Clients are able to effectively manage their written password policy by selecting the password policy settings that they require. Once the password policy is set, the nFront Password Filter software will manage the rest for you.
Clients use the nFront Password Filter to meet audit requires for compliance. On multiple occasions, clients have come to nFront due to the fact that they had missed an audit requirement to be in compliance. The nFront Password Filter has been used to fulfill password related requirements from these compliance organizations: CJIS, HIPAAA, IRS, NERC-CIP, PCI, PSN, NIST, and SOX. Once the client had fully implemented the nFront Password Filter, they were in compliance with all password related requirements.
Keep longer passwords longer
This is one of nFront Security's most recent additions to the nFront Password Filter. A client had expressed their need for an option that allowed for longer length passwords to expire at a later date than shorter length passwords. The length of the passwords and expiration time periods are determined by the IT Administrator for the password policy of the company. With this password policy setting, it entices end-users to create a longer password with the return of being able to keep the password for a longer period of time. In turn, the IT Administrator is happier that end-users are creating more secure passwords.
More complexity for shorter passwords
This is more commonly known as the Stanford Password Policy. After Stanford University shunned the one size fits all password policy, many companies wanted to adopt a similar standard. The idea behind the Stanford password policy is longer passwords require less character sets than shorter passwords. This options allows power to the end-user to determine which type of password they would like to select. nFront Security has solved this problem for our clients by providing a one-step checkbox to implement the Stanford Password Policy for your company.
Stop similar passwords
A common problem that clients have is that they want an end-user’s new password to be different than the existing password. Using the nFront Client, which is a part of the nFront Password Filter, clients have been able to solve this problem. We call this feature “check similarity rule” where you are able to determine how many sequential characters you do not want the new and existing password to have in common. Microsoft supports this feature and encrypted RPC messaging is used.
Enforce password changes for offsite and VPN Users
Clients have expressed the need of an online portal for offsite and VPN users to change their passwords. Many times, some users are not back in the office in time for their routine password changes. This results in the annoyance of help desk calls and password resets. The nFront Web Password Change has solved this problem for our clients. The software is "nFront Aware" and has the ability to recognize the end-user's password policy according to their username.
Disable dormant and unused accounts in Active Directory
Dormant accounts on Windows Active Directory have posed a large problem for some of our clients. With dormant accounts lingering within you Active Directory that have not been disabled, this is an easy target for hackers. nFront Security has been able to prevent dormant accounts lingering on a client's Active Directory for months on end. The nFront AD Disabler will automatically disable any accounts that have not logged on in three weeks by determined the last "true logon time." You will be provided with a weekly report for confirmation.