nFront Password Filter Features
Password Policy Settings
Listed below are all the granular setting that nFront Password Filter has the ability to control. Pick one, or pick them all.
- Minimum password length (set min of 15 char for Domain Admins to thwart Rainbow Table password cracking)
- Maximum number of characters in each password (useful for mainframe limitations)
- *Maximum password age
- *Email users who are within X days of expiration
- **Reject new passwords that match old passwords by more than X characters
- **Reject new passwords that do not differ from old passwords by more than X characters
- Check to see if the password contains 0,1,2,3, or 4 of the following character types
- Minimum / Maximum Lower Case Characters in password
- Minimum / Maximum Upper Case Characters in password
- Minimum / Maximum Numeric Characters in password
- Minimum / Maximum Special Characters (e.g. !,@,#,$,%,^, etc.) in password
- Minimum / Maximum Alpha Characters (i.e. upper or lower) in password
- Minimum / Maximum Non-alpha Characters (i.e. numeric or special) in password
- Minimum / Maximum Space in password (require spaces to encourage use of passphrases)
- Reject passwords that contain vowels (a,e,i,o,u,y)
- Reject passwords that do not meet SAP requirements
- Reject passwords that contain the username
- Reject passwords that contain any part of user's full name
- Reject passwords that contain 2 consecutive identical characters
- Reject passwords that contain 3 consecutive identical characters
- Reject passwords that contain more than 3 consecutive characters from the same character set (e.g. 4 consecutive numeric characters)
- Reject passwords that begin or end with a numeric character
- Reject passwords that begin or end with a special character
- Force the password to contain a numeric character in a specific position
- Force the password to contain a non-alphanumeric character in a specific position
- Perform the dictionary check looking for a case-insensitive substring match with any word in the dictionary
- ***Perform the dictionary check looking for a case-insensitive substring match with any word in the dictionary
- ***Check common character substitutions (like s=$ and E=3) for each dictionary word
* Requires install of nFront Password Expiration Service on one Domain Controller
** Only supported if the password change is sourced from our workstation client or from our nFront Web Password Change product
*** You can edit the dictionary in Notepad. nFront Password Filter can scan over 2 million words in less than 1 second.
Stanford Password Policy support
In April 2014 Stanford University adopted a new password policy that garnered a lot of attention. The policy encourages users to change to longer passwords. Password length is one of the biggest factors to strengthen passwords.
Within one month, we modified the MPE version of nFront Password Filter to support the Stanford Requirements. It is one among many industry firsts (first to control a password filter via GPO, first to offer an x64 version, first to put a password strength meter on the windows password change screen, first to offer length based password aging).
Here are the Stanford Password Policy requirements:
- 8-11 character passwords require the use of upper case, lower case, numeric, and special characters.
- 12-15 12-15 character passwords require the use of upper case, lower case, and numeric characters.
- 16-19 character passwords require upper and lower case characters
- 20+ characters require lower case characters.
Length Based password aging
Wouldn't it be great to reward users with longer passwords the ability to keep them longer? Unless you have a compliance requirmeent to change with a certain minimum frequency, this is a huge win for the users and the IT department.
In October 2015, we released a version with support for length-based password aging. You can setup up to 4 different length and age ranges. Users who choose shorter passwords can be forced to change their password more frequently.