This section will not show if you selected 'Configure for NIST 800-63b Compliance' on the One Click NIST Compliance page.
However if you selected Customize Settings in Step 4, you can define your own password policy. Note that the Custom Dictionary is available after the Installation Wizard is completed.
By default, Password Policies includes eliminating passwords exposed in data breaches. Additional setting options are described below.
Check passwords during resets:
Naturally, you want passwords to be scrutinized for all resets, but sometimes you may be in a hurry to do so. For instance, you may need to reset a password for a service account to get an application back online or someone needs a password in the middle of a presentation. If disabled, you will be able to reset their password from the DC unabated.
Reject common passwords found in cracking dictionaries:
This targets the low hanging fruit and includes passwords contained within generic cracking password dictionaries. These include obvious selections such as 12345678, password1 or qwerty123. While we advise that all of these settings be enabled, we strongly recommend enabling this setting at the least.
Fuzzy Password Matching:
This option prevents users from performing simple modifications or rearranging characters in their passwords to satisfy password policies. For instance, many users think that substituting numbers for letters (such as the number 3 for the letter E) is a clever practice. This is referred to as leetspeak and unfortunately, hackers are all too familiar with it. Once a user’s password is compromised, cybercriminals will try multiple variations of the captured password on other sites. Fuzzy Password Matching scrutinizes password changes according to case sensitivity, leetspeak and password reversing. For instance, a user that uses the password “iLoveDogs” could then use a variety of variations to satisfy the basic policy such as 1lov3dogs, Iloved0gs, iLovedoG$, etc. Fuzzy Password Matching prevents using these types of fixes that password crackers fully expect.
Screen Root Passwords:
Users will often add numbers and/or symbols to the beginning or end of their password in an attempt to reuse the same root password. For example, a user might change their password from "Password123!" to "Password124!". In cases where the original password was compromised for that user, it can be trivial for hackers to ascertain and guess the pattern being used. Enable this option to screen for such root passwords by first dropping any leading or trailing numbers or symbols.
Block passwords containing User’s information:
- User’s first or last name
- User’s login name
- User's email address
It’s common for users to try to simplify their login by using their own information in their password. Enzoic maps fields from Active Directory to prevent users from using their first name, last name, email address, or login name anywhere within the new password. If Fuzzy Password Matching is enabled above, variants of the password using leetspeak and reverse spelling will also be blocked.
Password Similarity Blocking:
Password Similarity Blocking uses the same principle as Fuzzy Password Matching but with greater granularity. This option is enabled by default. The Minimum Required Distance sets minimum number of differences that a new password must contain versus the one it is replacing. For instance, “mustWINin2020” and “mustWINin21” have three differences between them. If the Minimum Required Distance is “5”, then the proposed change will be declined. However, “mustWINin2020” and “mustwinNOW21” exceeds the requirement and will be accepted.
The Normalize Password First setting is enabled by default. This feature normalizes passwords prior to conducting a similarity check. The normalization process lowercases the password and removes all leetspeak substitutions. Thus, the password g00dT1m3$ is normalized to goodtimes, making any combination of the phrase identical. This means that users cannot alter their existing passwords simply to comply with reset policies.