Password policy rules
PPE's password policy rules can enforce almost any password policy imaginable. Each policy has its own rules, allowing you to implement fine-grained password policies on Windows Server 2008, 2003, and 2000.
Character
The Character rules reject passwords that contain, or do not contain certain characters. These rules check the whole password by default, but you can configure PPE to only check specific character positions (for example, from the second to fifth characters). There are six Character rules, each with their own customizable character set:
- Alpha Lower (a - z)
- Alpha Upper (A - Z)
- Alpha (a - z and A - Z)
- Numeric (0 - 9)
- Special (All characters not included above)
- High (All characters above ANSI 126)
Complexity
The Complexity rule rejects passwords that do not contain characters from a variety of character sets. The required number and selection of character sets are both configurable.
Dictionary
The Dictionary rule rejects passwords that are vulnerable to attack with a dictionary or hybrid cracking algorithm. PPE searches for weak passwords in a customizable dictionary file. The Dictionary rule can detect partial matches, character substitution (e.g. replacing S with $), and character reversal.
First Character
The First Character rule rejects passwords that do not begin with an appropriate character. Multiple character sets can be flagged as valid or invalid.
History
The History rule rejects passwords that are identical to a recently used password. PPE can enforce this rule for a number of password changes or a number of days.
Keyboard Pattern
The Keyboard Pattern rule rejects passwords that contain keyboard patterns such as "qwerty". Direction changes, repeated keys, and skipped keys can be detected if desired. You can also choose which keyboard layouts are searched for matching patterns.
Last Character
The Last Character rule rejects passwords that do not end with an appropriate character. Multiple character sets can be flagged as valid or invalid.
Length
The Length rule rejects passwords that contain too few or too many characters.
Maximum Age
The Maximum Age rule forces users to change their passwords regularly. Multiple expiry modes allow you to gradually introduce a new password policy with minimal impact on users and the help desk.
Minimum Age
The Minimum Age rule stops users from quickly cycling through a series of passwords to evade the History and Similarity rules.
Repeating Characters
The Repeating Characters rule rejects passwords that contain excessive character repetition.
Similarity
The Similarity rule rejects passwords that are similar to a user's current password. Unlike the History rule, PPE's Similarity rule can detect partial matches to deter users from serializing passwords (password1, password2, etc.) PPE does not store passwords or password hashes to enforce the Similarity rule. Character substitution detection and bi-directional analysis can be enabled to increase the effectiveness of this rule.
Unique Characters
The Unique Characters rule rejects passwords that do not contain a minimum number of unique characters.
User Display Name
The User Display Name rule rejects passwords that are similar to a user's Active Directory display name. Configurable parameters include match tolerance, character substitution detection, and bi-directional analysis.
User Logon Name
The User Logon Name rule rejects passwords that are similar to a user's Active Directory logon name. Configurable parameters include match tolerance, character substitution detection, and bi-directional analysis.