nFront Security Logo
  • Blog
  • Contact Us
  • (404) 348-4678
  • Products
    • nFront Password Filter
    • nFront Web Password Change
    • nFront Account Disabler
    • FREE - nFront Weak Password Scanner NEW
  • Resources
    • Whitepapers
    • Use Cases
    • Video Tutorials
  • Compliance
    • NERC CIP Compliance
    • PCI Compliance
    • PSN Password Compliance
    • NIST Password Compliance
    • Sarbanes-Oxley Compliance (SOX)
    • HIPAA Compliance
    • Stanford Password Policy
    • CJIS Password Policy Requirements
  • Support
    • FAQ
    • Knowledge Base
    • Log a Support Case
  • About Us
    • Company History
    • Contact Us
  • Home
  • Theater

nFront Password Filter Configuration


nFront Password Filter offers over 40 different password policy requirements. It rules for traditional password categories (lower, upper, numeric, and special). It also has a category separately for spaces. This is helpful if you plan to enforce a passphrase type of policy that requires longer passwords and a minimum number of spaces.

The most popular features are dictionary blacklisting and checking new passwords against breached passwords.

Dictionary Blacklisting

Dictionary blacklisting is the idea of rejecting passwords that contain dictionary words. It does not mean a real dictionary, although it could. When the nFront software scans the dictionary file, it converts the new password to lowercase, converts the dictionary entry into lowercase, and looks for the dictionary entry anywhere within the new password. Technically, it is looking for a case-insensitive substring match. The dictionary check only takes a few milliseconds with our provided dictionary. In some cases, customers have used dictionaries with millions of entries. In such cases, the dictionary processing time usually takes less than one second.

We provide a dictionary file that contains about 6000 entries. The first 1000 are entries to cover terms like the seasons (spring, summer, etc.), common keyboard patterns, sports teams, cities, states, common passwords from various lists, etc. The remaining 5000 entries contain names. Why 5000 names you may ask? You can already check for the username or part of the user's full name. In most password studies, you will notice 40 percent or more people use the name of a spouse, a child, or a pet in their passwords. Checking 5000 names should help combat those choices.

You should always customize the dictionary and add information related to your industry, your company, your products, etc. We have a great blog post that offers guidance on how to make a hack-proof dictionary blacklist.

A dictionary feature you should consider is using our automatic character substitution. Character substitution is commonly employed when a company adopts a more robust password policy. This is the idea of using "$" instead of the letter "S", the "@" character instead of the letter "a", etc. Users think it is clever, but such substitutions are often a part of most hacking dictionaries or wordlists. We think it is better to run a smaller dictionary with substitution checking instead of a larger one without it. You really do not want users adopting new passwords like "P@$$w0rd1" or "$umm3r2025", etc.

Checking for breached passwords

nFront Password Filter can check the HIBP database for breached passwords. THe database currently contains 847 million breached passwords and the filter can check it in 60 milliseconds via a local file or less than 1/2 second if using the HIBP API. If your domain controller are allowed to make calls to internet websites, we suggest the API option. The local file works great and is very fast. However, it takes up about 35 GB on each DC and the file must be local on each DC. For the API option, we send the first 5 digits of the SHA1 hash to the HIBP SSL website (so you usually do not need special firewall rules). The HIBP website returns with any hashes that match those first 5 digits. This allows us to compare the remaining part of the hash and determine if the new password is part of the corpus of breached passwords.

Need additional password policy advice

Please check out our Password Policy Guide. It gives a breakdown of password policy choices and presents a couple of policies for you to consider. No two organizations are the same and policy choices will vary based on the company, the industry, compliance, etc.