Real-time feedback about the strength of new passwords.
nFront Password Filter allows configuration of up to 6 policies per domain.
GPO control allows you to configure in around 5 minutes!
The newest version of nFront Password Filter includes built-in reporting features for expired passwords. Fill out your email below and we'll email you a sample report.
Email Sample ReportEmail Address:
Passwords. Everyone on your corporate network has one. How weak is the weakest password?
Having a good password policy that is enforced across all users is fundamental to good security practices. You are probably spending money on firewalls, anti-virus, encryption and data leakage products. However, if you are using the built-in Windows Password Policy you might as well burn the money you are spending for all the security software and devices.
nFront Password Filter is a password policy enforcement tool for Windows Active Directory that allows up to 6 different password policies in the same Windows domain. Each password policy has many granular settings and can be associated with one or more global or universal security groups. nFront Password Filter allows you to strengthen network security by preventing the use of weak, easily hacked passwords.
Passwords can be compromised in a number of ways. There are software tools to "guess" passwords. There are DLL injection tools that can retrieve the database of hashed passwords. Please note that hashed passwords are not the same as encrypted passwords. Encrypted passwords can be decrypted given the shared secret or private key. However, hashed passwords cannot be reverse engineered. So what is the danger of a thief getting the hashes. A lot! There are tools like Rainbow Crackers which can crack any 14 character or less password in a matter of minutes if you can provide the password hash. There are even websites like Plain Text Info that will use their computing power to crack the LanMan or MD5 hash for you. Click here to read more...
Windows gives you the tools to control password length, history and expiration, but no good controls to enforce the use of reasonable passwords that are not easily hacked. Without nFront Password Filter it is highly likely that weak, easily cracked passwords are allowed on your network.
Consider the following standard Windows policy:
THE WINDOWS PASSWORD POLICY ABOVE DOES NOT PREVENT ANY OF THE FOLLOWING PASSWORDS
To see a more exact comparison of settings see these links:
nFront Password Filter versus the Windows 2003 Password Policy
nFront Password Filter versus Windows 2008 Password Policies
nFront Password Filter is controlled using a single Group Policy Object configuration. After installation of the software on all domain controllers, simply create a new GPO, load one of our provided templates and configure your policies. It's that easy!
nFront Password Filter is controlled by a single GPO, not a bunch of confusing GPOs all over the place. You can associate any policy in the MPE version with one or more security groups or organizational units. Thus, you can easily use the same groups that you have created for resource security to control password security. No need to re-organize your OU structure to support your password policies. No need to run Resultant Set of Policy to see who gets what policy. No need to edit multiple GPOs all over the place or figure the best policy precedence order such that one policy does not negate the other.
nFront Password Filter gives you granular control over your password policies. It can put min and max limits on specific types of characters, reject passwords that contain userids/usernames and even check a new password against a multi-language dictionary with over 2 million words in less than 1 second.
Windows 2008 does support multiple password policies in the same domain. However, the policy settings are the same basic policies that are in Windows 2000 and Windows 2003. The settings are not robust enough to prevent the use of weak and easily cracked passwords. The settings are also cumbersome to put in place.
nFront Password Filter MPE allows you to have up to 6 different password policies in the same Windows domain. Each policy can be associated with one or more global or universal security groups. You can have strong password polices for Domain Administrators and those with access to more privileged information (credit card data, tax information, etc.). You can also associate weaker policy with other groups like "Mainframe Users."
Suppose you sync your Windows passwords with UNIX or AS/400 or other mainframe systems. You do not want a one-size fits-all password policy that has to be dumbed down to the least common denominator. System like UNIX or mainframes often truncate passwords longer than 8 or 12 characters. Furthermore, such systems often do not accept certain special characters. With nFront Password Filter you can control the special characters which are accepted or block the use of any special characters.
Passphrases are simply long passwords like "The dog ate my newspaper." or "I love Chocolate!" Such phrases make great passwords because they are long and long passwords are generally always superior to shorter ones. However, such phrases usually contain dictionary words and can be rejected by dictionary filtering. With nFront Password Filter you can skip dictionary filters for passwords over a specified number of characters. So long passwords may contain dictionary words but short passwords may not.
nFront Password Filter is not some set of Java rules on a website that are easily bypassed. nFront Password Filter is integrated into the operating system and runs as a thread under the local security authority (the lsass.ese process). The polices you create cannot be bypassed with an alternative password change mechanism.
Writing a custom passfilt.dll is not a trivial process and is much more involved than a simple win32 application. The custom password filter must interface to the Local Security Authority (the lsass.exe process) and runs as a thread of the LSA. You cannot afford a bad line of code or an overlooked exception. A bad line of code can quickly mean a BSOD (blue screen of death). A memory leak or failure to use exception handing and secure coding techniques can deal to a security vulnerability and possible exploitation. A passfilt.dll works on the password in Unicode clear text and care must be taken to properly destroy the memory used by such buffers.
We got started in 2001 writing custom password filters for many different organizations. After noticing many similarities among the requests we decided to write a "configurable customer password filter." So we were the first to introduce a password filter controlled by a group policy. In 2005, we were the first to release a 64-bit password filter.
You should contemplate the following questions if you are considering the development of a custom passfilt:
nFront Password Filter goes beyond giving you control over character types and includes a very fast dictionary check feature. In less than 1 second, nFront Password Filter can scan a 2 million word dictionary and ensure that the user's proposed new password is not contained in the dictionary file!
nFront Password Filter ships with a 27,000 word customizable, plain-text dictionary. The dictionary check feature looks for a case-insensitive exact match (instead of a substring match) between the proposed new password and each entry in the dictionary. The substring search feature can be enable to look for the dictionary word anywhere within the password. You can customize the dictionary by editing the file in Notepad or any other text editor of your choice.
nFront Password Filter comes with an optional client that you can deploy to end-user workstations. You can choose to include your own custom message to the end user or our default password rules or both. You can also display a password strength meter. All settings, of course, are controlled by GPO.
The client automatically works in multiple languages (like German, French, and Italian). It automatically reports the locale of the client workstation to the encrypted RPC service that supports the client. The service then formulates the password policy rules in the language appropriate to the language of the client operating system.