Eliminate shoddy codeword practices with this new product; but do it right the first time, because backing out is hard.

Password Enforcer

Eliminate shoddy codeword practices with this new product; but do it right the first time, because backing out is hard.

• By Robert Pfeiffer
• 08/01/2001

When it comes to network security, the average system administrator is burdened with setting up firewalls, encrypting network traffic and logging security activity. While all of these measures are good, any one of them can be foiled by a compromised password. Because the world has witnessed successful hacks into various banks, not to mention Microsoft's own fortress, administrators must seriously consider the threat posed by simple passwords.

Windows NT 4.0 doesn't provide much ability to force complex user passwords; while Windows 2000 has a simple algorithm that can be enabled, it doesn't do a dictionary check. Thus, both OSes can be seen as vulnerable from a security point of view.

Password Bouncer intends to address these limitations, by allowing NT/2000 administrators to enforce several additional password policies that go beyond the abilities included within Windows OSes.

Figure 1. While some of the options in Password Bouncer are familiar, it goes way beyond the traditional NT and Windows 2000 abilities to enforce password policies.

I was pleasantly surprised at the simplicity of installing Password Bouncer. I executed the program, clicked "Next" and "Yes" a half-dozen timesÑand it was done. One message popped up indicating the "comctl32.dll" file was locked, but this was remedied with a reboot. One note about this installation: It doesnÕt have to be installed on a domain controller (DC). These password requirements can be managed from any NT/2000 server you choose.

After installation, the configuration screen appeared, allowing me to select the Win2K domain to be managed by Password Bouncer. Figure 1 shows the various password options.

The top four password policy options are the very familiar Windows NT/2000 policies, including password expiration and password history. However, Password Bouncer significantly expands those options. If all the options in Password Bouncer were active, hacking a password would be a monumental, if not impossible, task.

Password Bouncer includes a 300,000-word English word list and 4,000 proper names, in contrast to Win2K, which lacks a dictionary check. Custom wordlists with wildcards are also available. For example, you could exclude everything starting with "luv" by using "luv*" as the filter text.

After selecting the domain and initial password complexity requirements, Password Bouncer initializes the policy in the domain. To complete the process, NT PDCs can be automatically rebooted. Win2K DCs and NT BDCs must be manually rebooted. The reboots occur only after initial installation, and future changes to password policies can be applied without restarting.

While implementing these new, complex requirements was simple, it wasn't so easy to back out of them. After several unsuccessful attempts to remove the password requirements, I gave up. Previously, it was acceptable in my test domain to use easy passwords like "dog," "password," and "love," but after de-selecting all the complex requirements unique to Password Bouncer, these simple passwords were still rejected. In fact, I couldn't get "F1shing!" to be accepted. The other annoying problem is that the error message reported doesn't explain what criteria haven't been met, so it requires research to determine why the password failed.

Password Bouncer is a powerful product that allows system administrators to force more complex passwords in NT and Win2K domains, and the functionality included with Password Bouncer is sufficient for even the most secure networks. The only word of caution is to be careful about implementing changes. Proceed slowly, warn the users, test the changes before implementing, and test rolling back to ensure that you have a way out.