Ban passwords with Active Directory

[tduffy]

Out of the box it looks like there is no way to set up a banned password list in Active Directory similar to what Twitter has recently done. In never ending efforts to increase security on my network, i would like to ban words from being used as passwords or part of passwords. I require complex passwords already so common words are not allowed already without either adding caps/numbers etc to the password. But i would like to take it one step further and ban certain strings in password. For example the string "password" is not allowed with complex passwords required but a user coudld use "$$password123$$" as a password. I want that blocked also.

Any advice or suggestions will be greatly appreciated. Thanks in advance.

[fault]

Can't do it out of the box, but look for a product that makes use of the Windows Password Filter. E.g., looks like Specops Password Filter might do what you're after? There is a demo available.

• Set any combination of password restrictions: lower case, upper case, digits, special characters
  
• Disallow user names in passwords, disallow words from word lists, etc
  
• Minimum password length
  
• Maximum password length
  
• Extended password complexity
  
• Password reset rules
  
• Different password expiration rules, commonly called password age, on each policy
  
• 11 languages supported in the end user password change dialog.
  
• Graphical Password Complexity meter
  
• Password History
  
• Disallow consecutive characters in password
  
• Dissallow incremental passwords
  
• Disable account lockout
  
• Automatically send password expiration e-mail
  
• Group Policy delegated security model
  
• Supports automation through Windows PowerShell or .NET
  
• Support for 64-bit Domain Controllers
  
• Support for Windows 2008 Server
  
• Support for Remote Server Administration Tools (RSAT)
  
• Integration with Specops Password Reset
  
• Additional password policy requirements; Regular expressions; Disallow backward words in wordlist; Disallow digit as last character
  
• New password expiration warning e-mail settings; Configurable sender; Exclude password policy requirements
  

There may be other products. I've never used such a product before in a production environment. Good luck :)

Edited January 8, 2010 by fault

[tduffy]

Can't do it out of the box, but look for a product that makes use of the Windows Password Filter. E.g., looks like Specops Password Filter might do what you're after? There is a demo available.

There may be other products. I've never used such a product before in a production environment. Good luck :)

Thanks, I will take a look at their product.