Lithnet Password Protection for Active Directory

P@ssw0rdis@s3cr3t!

Blocking Individual Words

LPP's filter becomes even stricter if you enable the Reject normalized passwords found in the compromised password store and Reject normalized passwords found in the banned word store settings. For these settings to work, you need to feed the database of words to be blocked with some candidates. To do so, type e.g.:

Import modules LithnetPasswordProtection
Add-BannedWord Knermann

If you want to exclude a larger set of terms, you don't have to enter them manually. Instead, you can use the Import-BannedWords cmdlet to load entire dictionaries. The cmdlet expects a text file that contains one banned word per line.

Normalization Increases Difficulty

When a user now enters a new password, LPP normalizes it before matching it against the blacklists. Normalization means that the filter first converts a password completely into lowercase letters and also removes spaces, numbers, and special characters at the beginning and end. Furthermore, LPP also understands "Leetspeak" (i.e., the creative replacement of letters with similar-looking numbers and symbols), which is popular on the Internet. For example, the filter normalizes the string "Kn3rm@nn!" to "knermann" and rejects the password change.

You can draw your own conclusions on the effectiveness of the filter rules by trial and error on a client computer, but you might want to use PowerShell instead. The Get-PasswordFilterResult cmdlet lets you test passwords against your set of rules and receive immediate, meaningful feedback on whether and why LPP rejects a particular password.

Implementing Recommendations

Enabling the Minimum password length setting enforces a minimum length of eight characters. You can now establish a direct link between length and complexity with the Enable length-based complexity rules option. You can define up to three threshold values for the length, each with different complexity requirements. In this way, you can implement the latest security recommendations and reward users of particularly long passwords with less stringent requirements with regard to password complexity.

For example, you might want to set Threshold level 1 to 13 characters (Figure 4). In the next field, define how many of the four requirements – uppercase letters, lowercase letters, numbers, symbols – a password with fewer characters needs to meet. By way of an example, I selected the highest value: four out of four. Alternatively, you can use checkboxes to specify exactly which of the requirements the password must meet.

Figure 4: LPP rewards particularly long passwords with lower complexity requirements.

You can set Threshold level 2 to 20 characters and specify that passwords with fewer characters must still meet three of the four requirements. The lowest range of the configuration applies to all passwords longer than the second threshold. In this case, if you still require two of the four requirements and apply the policy, LPP enforces the password filter to match the BSI recommendations.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus