Knowing that the most porous spots in a corporation's network security defense are sometimes the simple passwords devised by not-so-clever end-users, Avatier Corp. last week unveiled an administrative tool that sets and enforces policies for the creation of passwords on Windows-based systems.
The company's Password Bouncer Deluxe includes software that allows administrators to create policies that govern how a password must be constructed using a combination of letters, numbers and/or special characters. Once created, those policies force users to create passwords that are hardened against brute force attacks from hackers, either internally or externally.
Corporations often force employees to change passwords at regular intervals as a security precaution. All too often, however, users pick simple passwords that are easy to remember but susceptible to hackers.
"People spend so much on firewalls and to protect their [network] perimeters, but passwords can be the weakest link," says Nelson Cicchitto, CEO of Avatier. "We extend the password policies in Windows NT and Active Directory so your passwords are harder to hack."
Natively, Windows NT has policies that restrict password length and history, which prevents the reuse of passwords for a certain amount of time. Windows 2000 Active Directory adds requirements to include mixed case, numbers or special characters.
Password Bouncer pushes those requirements up a few notches. Through a wizard-driven interface, administrators can set policies that force the use of upper and lower case letters and the position of certain characters such as requiring the fourth character in any password to be a numeral or restricting passwords that end with numerals or special characters. Restrictions also can be set on using common words and names, company ID numbers, or the use of palindromes, which is a word, phrase, verse, or sentence that reads the same backward or forward.
Administrators also can choose to exempt certain users from the password policies.
The software comes with a list of common dictionary terms in English, French, Italian, German and Spanish that can be barred from use. It also has a list of common proper names and the option to create a customized list of industry specific or others terms.
The software installs on a Windows primary or backup domain controller and automatically pushes out its filters to any server connected to the network. Users can manage multiple domains from a single console so rules are consistent across an organization.
Passwords are checked at the time of creation and administrators can post an HTML document on an intranet site explaining the password policies.
Password Bouncer can work in conjunction with another Avatier product called Password Station.Net, which is a Web-based self-service tool for end-users who have forgotten their passwords. Users initially log their passwords with Password Station and answer a number of questions. The answers are stored in Active Directory. If the user forgets his password, he goes to a URL and is presented with the questions. If they are answered correctly, the user is presented with the forgotten password.
Password Bouncer is available now and is priced per domain. A perpetual license is US$9,995. An annual license is $1,995.