Product: Specops Password Policy
Product Homepage: click here
Free Trial: click here
About a year ago, I was given the opportunity to take a look at Specops Password Policy. In doing so, I found the software to work well and gave it a favorable review. More recently, Specops released version 7.0 of its password policy software. I was curious to see how the software had changed and decided to try it out.
In case you are not familiar with Specops Password Policy, it is a tool for enforcing the use of strong and secure passwords.
The Installation Process
When you run the Setup program, Specops Password Policy displays a splash screen similar to the one shown below. As you can see in the figure, there are a number of different components that you can install. I don’t want to spend a lot of time writing about the installation process, because I covered it in detail in my previous review. However, I will tell you that for the purposes of this review, I installed the Blacklist Arbiter and the Domain Controller Sentinel onto a virtual machine that was running Windows Server 2016. I also installed the Administration Tools and the Specops Authentication Client onto a Windows 10 desktop.
It is worth noting that most of Specops Password Policy’s controls are implemented at the group policy level. When you install the Administration Tools, the Setup program adds a Specops Password Policy container to the Group Policy Editor. You can find this container at User Configuration \ Policies \ Windows Settings \ Specops Password Policy.
Specops Password Auditor
The first thing that I decided to check out was the Specops Password Auditor. The Specops Password Auditor is a tool for scanning the Active Directory in an effort to determine the health of the passwords that are being used. The auditor checks for things like non-compliant passwords and passwords that are about to expire. Specops Password Auditor is available as a standalone freeware tool but is also included in Specops Password Policy. You can see the initial Specops Password Auditor screen shown in the figure below.
Upon clicking the Start Scanning button, the software launches into an Active Directory scan in which it examines users, password policies, user details, and password policy usage. The thing that impressed me about the scanning process, which you can see below, is that it completed in the blink of an eye. While it is true that my lab environment contains only about half a dozen user accounts, the virtual machines were running on aging and poorly performing hardware. The simple fact that the scan completed so quickly in spite of the underlying hardware is a testament to the scanning engine’s efficiency.
The scanning results are displayed on a screen that is similar to the one that is shown in the next figure. As you can see in the figure, the auditor shows you things like which users have administrative privileges, which accounts have passwords that will be expiring soon, which account’s password have already expired. Perhaps more impressively, the Password Policy Compliance box shows you a color-coded status report based on the password policies that you are using.
I really like the Specops Password Auditor, because it is simple to use and conveys useful information without a lot of clutter. Incidentally, all of the boxes shown in the previous figure are clickable, providing more detailed information. In my opinion, it’s definitely worth your time to try out Specops Password Auditor. You might just be surprised by what you find out about password usage in your organization.
Once I finished examining my lab environment with Specops Password Auditor, I turned my attention to Specops Password Policy. One of the main features that I wanted to try out was the software’s dictionary feature. The basic idea behind this feature is that hackers sometimes attempt to crack passwords by treating the words in a dictionary as a list of potential passwords. The hacker uses a different word from the dictionary for each login attempt. Specops helps administrators to defend against this type of attack by preventing users from choosing passwords that are found in the dictionary.
If you look at the figure below, you can see that the dictionary settings can be found on the administration tool’s Password Rules tab. Specops Password Policy can enforce its dictionary rules based on downloadable and/or custom dictionaries. Incidentally, Specops provides at least half a dozen different dictionaries containing everything from common keyboard combinations to passwords that are known to have been leaked.
One of the things that I particularly liked about the way that Specops has implemented this feature is that there is an option to show users why their chosen password violates the dictionary rules. This helps to reduce user frustration, because if a user’s new password is rejected they will see a detailed explanation of why, as opposed to receiving a generic error message.
Another feature that I decided to check out while evaluating Specops Password Policy is the Blacklist feature. The Blacklist feature allows you to prevent users from using passwords that are known to have been leaked.
You can see what the administrative tool’s Blacklist tab looks like in the figure below. As you can see in the figure, you can configure the Blacklist feature to verify passwords as they are changed, verify passwords as they are reset, or both. There is also a checkbox that you can select to require that users with leaked passwords change their password at the next login.
As you look at the figure above, you will no doubt notice that the Blacklist feature contains options to send text messages and/or text messages to users who are using blacklisted passwords. I kind of have mixed feelings about these notification options.
On one hand, being able to alert users to the fact that they are using an insecure password is definitely a good thing. On the other hand, the default messages somewhat remind me of some of the phishing messages that I have received over the years. My advice would be to use the notification features but to also educate users as to how to distinguish between a legitimate message and a phishing message. For instance, you might tell them that no legitimate message will ever ask them to click on a link.
The first time that I ever used Specops Password Policy (just over a year ago), I initially thought that it was little more than a graphical front-end to the native group policy password settings. While Specops Password Policy does expose basic password settings such as the maximum password age and the minimum password length, the inclusion of those capabilities is really more of a convenience feature rather than an indication of the software’s true capabilities.
Specops Password Policy might best be described as a tool for augmenting the password related settings that are built into the Active Directory. In fact, the software gives you extremely granular control over password requirements. You can for instance, disallow consecutive identical characters, or you might prevent a user from using a digit as the last character of their password. Similarly, you can specify the minimum number of characters that must be changed when a user changes their password. These are just a few examples of the controls that Specops gives you.
The new dictionary and blacklisting capabilities are designed to give admins even more control over user’s passwords and allow for passwords that are unquestionably more secure.
The only thing about Specops Password Policy that I’m not particularly wild about is the initial installation and configuration process. Even though there is nothing particularly difficult about getting the software up and running, I did find myself having to consult the documentation a few times. I will concede, however, that it is possible that I was just having a bad day because I can’t seem to recall having difficulties with the installation process when I reviewed the previous version.
So with all of that said, I like to wrap up all of my reviews for TechGenix by giving them a star rating ranging from 0 to 5 stars, with 5 stars being a perfect score. I really liked Specops Password Policy, and happily give it a gold star rating of 4.5 stars.