Ban weak passwords from Active Directory
Contact UsSpecops Password Policy helps you increase password security in your Microsoft Active Directory environment. The tool extends the functionality of Group Policy, and simplifies the management of fine-grained password policies. Specops Password Policy can target any GPO level, group, user, or computer with password complexity, compromised password list, dictionaries and passphrase settings.
Take a segmented approach and customize your settings to the security needs of various user populations. Assign users who have access to sensitive data more complexity, without hindering usability for less privileged users. Alternatively, replace complexity by allowing passphrases to enforce secure policies without burdening users.
Enhance security by blocking the use of custom dictionary words unique to your organization. Comply with industry regulations by blocking the use of over 3 billion known breached passwords, as well as passwords used in real spray attacks happening right now. Manage password security across your organization simply and effectively!
Dictionary attacks & password leaked lists
You can use a password dictionary, a file containing commonly used and/or compromised passwords, to prevent users from creating passwords that are susceptible to dictionary attacks.
| Feature Highlights | Specops Settings | Microsoft FGPP Settings | Azure AD Password Protection Settings |
|---|---|---|---|
| Create Custom dictionary lists | Yes (no limit) | No | Yes (up to 1000 terms, minimum 4 characters) |
| Blocks used in password spray attacks happening right now | Yes (new compromised passwords added daily) | No | Partially (only uses base terms in global list) |
| Blocked list includes 3rd party breached passwords (as recommended by orgs like NIST and NCSC) | Yes (over 4 billion unique compromised passwords) | No | No ("banned" list is not a leaked list) |
| Find and remove leaked passwords already in use | Yes | No | No |
| Ban partial use of dictionary list word | Yes (full or partial) | N/A | No |
| Ban use of user's first or last name | Yes (full or partial) | No | No partial ban |
| Block 3-letter words, abbreviations, and acronyms | Yes | N/A | No (minimum 4-characters) |
| Ban common character substitution | Yes | No | Missing several |
Password / Passphrase complexity
Complexity is commonly the character types (lower case, upper case, numeric, and special) used in a password. However, complexity is ineffective if it is predictable.
| Specops | Microsoft FGPP | Azure Password Protection | |
|---|---|---|---|
| 5/5 character types | Yes | Only 3/5 character types | N/A |
| Disallow consecutive identical characters | Yes | No | N/A |
| Disallow common character types at the beginning | Yes | No | N/A |
| Passphrase support | Yes | No | N/A |
Password Expirations / History
| Specops | Microsoft FGPP | Azure Password Protection | |
|---|---|---|---|
| Password expiration reminders | Email, Balloon tip | Balloon tip only | N/A |
| Disallow part of current password | Yes | No | N/A |
| Minimum number of changed characters | Yes | No | N/A |
| Password length-based aging | Yes | No | N/A |
Other
| Specops | Microsoft FGPP | Azure Password Protection | |
|---|---|---|---|
| Dedicated password policy reporting tool | Yes | No | No |
| Dynamic password policy display at password change | Yes | No | N/A |
| NIST and NCSC password policy templates | Yes | No | N/A |
| Customize end-user client failed password change message | Yes | No | N/A |
How does it work?
Specops Password Policy is built on the Group Policy engine in Active Directory and works in conjunction with existing password policy functions. It consists of the following components and does not require any additional servers or resources in your environment.
Administration Tools:
Configures the central aspects of the solution, and enables the creation of Specops Password Policy settings in GPOs.
Sentinel:
Verifies whether a new password matches the Specops Password Policy settings assigned to the user. The Sentinel is a password filter at the domain controllers.
Client (optional):
Displays the password policy rules when a user fails to meet the policy criteria when changing their password. Also notifies users when their passwords are about to expire.
What does it look like?
Administrator Experience
The password settings can be configured from the Group Policy Management Editor.
You can configure a password policy to use classic rules, or passphrases.
The Specops Password Auditor component scans and detects security related weaknesses, specifically related to password settings.
The collected information is used to display multiple interactive reports containing user and password policy information.
End-User Experience
Specops Password Policy allows you to customize the messages users see beyond the standard Windows message.
The display options include showing the found dictionary word or the rules the user has passed and still needs to pass.
Dynamic feedback at password change means end users get feedback as they type their new password.
The better end-user feedback means happier users and fewer calls to the helpdesk.
Get a Demo of Specops Password Policy
Interested in seeing how Specops Password Policy and Breached Password Protection can work in your environment? Set up a demo or trial today.
