You mean password isn't a secure password?
February 1, 2007 9:07 AM Subscribe
I need to create a custom password filter for an Active Directory domain. Any cheap or free solutions?
I would like to require strong passwords on our domain but Microsoft's built-in policy doesn't really meet our needs. I understand that it's possible to create your own password filter DLL to replace Microsoft's but I'm not really comfortable doing that with no coding experience. I've looked into some products like Passfilt Pro but they're licensed to the number of Active Directory accounts and that would cost us a fortune with 4,500 accounts (and 3,500 have assigned passwords that can't be changed anyway). Some other products are licenced per DC which doesn't help either since we've got 7 DCs. A product that's either free or licensed per domain would be my preference.
I'd like to stay under $1,000 but could go a little higher if needed. I'd also like to create multiple policies so I can assign groups like Domain Admins a stronger policy, but if the solution was cheap enough one policy would be acceptable.
I would like to require strong passwords on our domain but Microsoft's built-in policy doesn't really meet our needs. I understand that it's possible to create your own password filter DLL to replace Microsoft's but I'm not really comfortable doing that with no coding experience. I've looked into some products like Passfilt Pro but they're licensed to the number of Active Directory accounts and that would cost us a fortune with 4,500 accounts (and 3,500 have assigned passwords that can't be changed anyway). Some other products are licenced per DC which doesn't help either since we've got 7 DCs. A product that's either free or licensed per domain would be my preference.
I'd like to stay under $1,000 but could go a little higher if needed. I'd also like to create multiple policies so I can assign groups like Domain Admins a stronger policy, but if the solution was cheap enough one policy would be acceptable.
Response by poster: It's not so much an exact rule we want to apply as it is we want to have the ability to change the policy at will. Microsoft's definition of password complexity suites me fine, but my boss doesn't want it to even be that strict. Our users will definitely bitch and convenience always wins over security (at least in our environment). It's really a miracle he's even letting me apply a password filter of any kind. I think the turning point was when he found out the HR Director's password was 111111 after helping her with a tech problem. That's pretty scary considering the level of access she has to sensitive material.
One desired feature I forgot to mention is the ability to add a dictionary of words that can't be used as passwords. I see the same words (company name, title, ect.) used in passwords over and over again. Is secretary1 really the best password an executive secretary can think of?
posted by bda1972 at 2:25 PM on February 1, 2007
One desired feature I forgot to mention is the ability to add a dictionary of words that can't be used as passwords. I see the same words (company name, title, ect.) used in passwords over and over again. Is secretary1 really the best password an executive secretary can think of?
posted by bda1972 at 2:25 PM on February 1, 2007
Do consider doing training as well. Help people create memorable passwords that aren't ridiculously insecure. There are a lot of articles and probably ask.me threads about password schemes.
posted by theora55 at 2:52 PM on February 1, 2007
posted by theora55 at 2:52 PM on February 1, 2007
The password complexity in Windows is not that strict. 7 years ago when it was originally introduced in Windows 2000, the password complexity was considered extremely strict, but today I would consider fairly standard.
Just so you know, the password complexity requirements are as follows:
- May NOT contain all, or any portion of the user's account name.
- Must be at least 6 characters.
- Must contain characters from three (3) or the following categories:.
- Uppercase characters (A through Z).
- Lowercase characters (a through z).
- Numbers (0 through 9).
- Special characters (!, $, #, %).
posted by purephase at 7:14 PM on February 1, 2007
Just so you know, the password complexity requirements are as follows:
- May NOT contain all, or any portion of the user's account name.
- Must be at least 6 characters.
- Must contain characters from three (3) or the following categories:.
- Uppercase characters (A through Z).
- Lowercase characters (a through z).
- Numbers (0 through 9).
- Special characters (!, $, #, %).
posted by purephase at 7:14 PM on February 1, 2007
Response by poster: theora55: I agree that training is needed but all I can do is make it available. When we force a password change some users just laugh as they write their new password on a Post-It note and stick it to their monitor. I've brought it to the attention of their supervisors with no luck. We have the same issue with our access control cards. If they lost their building key they would freak out but it doesn't phase them to lose their proximity card that can access every external door 24-7 (another battle I lost).
purplehaze: I agree 100% that the default password filter is not all that strict. All of our network resources are tied to their Active Directory account so they have ONE password to remember for everything. I don't think it's asking too much to have a complex password, but it's not my decision to make. I think my boss' main concern is that he won't be able to loosen the password rules if he gets a lot of complaints.
Back to my original question: does anyone know of a cheap product to create a password filter?
posted by bda1972 at 8:07 PM on February 1, 2007
purplehaze: I agree 100% that the default password filter is not all that strict. All of our network resources are tied to their Active Directory account so they have ONE password to remember for everything. I don't think it's asking too much to have a complex password, but it's not my decision to make. I think my boss' main concern is that he won't be able to loosen the password rules if he gets a lot of complaints.
Back to my original question: does anyone know of a cheap product to create a password filter?
posted by bda1972 at 8:07 PM on February 1, 2007
This thread is closed to new comments.
posted by mrbugsentry at 12:07 PM on February 1, 2007