Password Policy Enforcer Improving the Password Policy

Improving the Password Policy

PPE rules have properties that control how PPE enforces each rule. You can improve the effectiveness of the Users policy by enabling "character substitution detection" and "bi-directional analysis".

When character substitution detection is enabled, PPE searches new passwords for common character substitutions. For example, a user may replace an S with a $. If a password only complies with the policy because of the substitution (i.e. the substitution was required to make the password compliant), then PPE rejects the password.

Bi-directional analysis tests passwords with their characters reversed to stop users from circumventing a rule by entering a weak password backwards. For example, a user may try to use "drowssapym" instead of "mypassword".

To enable the character substitution detection and bi-directional analysis properties for the Users policy:

Click the Users policy in the left pane of the management console.

Double-click the User Logon Name icon.

Select the Detect character substitution and Bi-directional analysis check boxes, and then click OK.

Double-click the Dictionary icon.

Select the Detect character substitution and Bi-directional analysis check boxes, and then click OK.

Test the improved Users policy with the weak passwords that were previously accepted. PPE should reject all of them.

Password

Result

Reason

tseTEPP

Rejected

Similar to user logon name

kravdraA

Rejected

Similar to word in dictionary file

Aardv@rk

Rejected

Similar to word in dictionary file

Password	Result	Reason
tseTEPP	Rejected	Similar to user logon name
kravdraA	Rejected	Similar to word in dictionary file
Aardv@rk	Rejected	Similar to word in dictionary file