Password Policy Enforcer

Password Policy Enforcer features

Helps users to choose passwords

Password Policy Enforcer reduces the number of password-related help desk calls by helping users to choose a compliant password. Users can see the password policy as they enter their password, and are told exactly why their password was rejected. Administrators can customize the policy and rejection messages in 31 languages.

Multiple password policies

Password Policy Enforcer can enforce up to 256 local and domain password policies. Policies can be assigned to users, domain groups, and Organizational Units. You can even exempt some users from the password policy, or allow administrators to bypass the policy when resetting passwords.

Powerful password policy rules

Each password policy has 25 highly configurable rules. PPE can require users to comply with all rules, or it can enforce a more tolerant policy by allowing partial compliance. Rules can be combined to create complex requirements such as "password must contain a numeric character, but not in the first position".

Encourages longer passwords

PPE can reward users who choose long passwords or passphrases. You can configure PPE to relax the password policy for passwords that exceed a certain length. You can also extend the maximum age of long passwords in a domain so that users who choose long passwords do not have to change them as often as users with shorter passwords.

Advanced Dictionary rule

The Dictionary rule is the most important rule because it detects the most vulnerable passwords and has the greatest impact on server performance. Other products have a dictionary rule, but PPE's Dictionary rule is the most effective. It allows administrators to control non-alpha character detection, character substitution detection, bidirectional analysis, wildcard analysis, and match tolerance to give administrators granular control over their password policy. PPE's Dictionary rule is also hundreds of times more efficient than competing products, so it has no noticeable impact on server performance.

Leaked password checking

In addition to the Dictionary rule, PPE can also reject leaked passwords from prior security breaches. The Compromised rule takes less than a millisecond to search a file containing hundreds of millions of leaked password hashes.

Customizable e-mail reminders

PPE can send up to three e-mail reminders to domain users before their passwords expire. This is especially useful for users who logon infrequently, and for remote users who access the network without logging on to the domain.

Integrated policy testing

PPE's integrated policy testing allows you to quickly test your password policy before enforcing it. Use the test results to identify and correct configuration errors, and to determine if the password policy meets your security requirements.

Password synchronization

PPE can execute a program or script when a user changes their password. Your program or script can perform additional processing, such as synchronizing the user's password with another system or application.

ANIXIS Password Reset integration

PPE integrates with ANIXIS Password Reset, a self-service password management system that allows users to reset their password and unlock their account without calling the help desk.

PPE/Web integration

Password Policy Enforcer/Web allows users to securely change their password from a Web browser. PPE integrates with PPE/Web to help users choose a compliant password.