Enterprise password policy enforcement software enables IT admins to configure and automatically enforce password policies, to ensure their users are creating and securely using strong passwords. Password policies often mandate requirements such as password length or complexity, account lockout thresholds, and deny lists of weak or commonly used passwords.
Credential-related cyberattacks are on the rise, with cybercriminals using a wide array of brute force attacks, such as dictionary attacks and spraying, to crack user passwords and access their accounts undetected. While we also recommend implementing a multi-factor authentication solution to mitigate the risk of compromised credentials, the first step in ensuring account security is to make sure your employees are creating strong passwords that are hard for a hacker to guess or crack.
This can be difficult to enforce manually, which is where password policy enforcement software comes in. With enterprise password policy enforcement software, IT admins can easily define and update password policies, and automatically enforce those policies across different user groups. On top of that, password policy enforcement providers often supply a deny-list of common, weak, or known-to-be-compromised passwords. Utilizing these lists can increase security, while saving IT resource from being spent looking up and collating lists of passwords that are known to have been exposed.
In this article, we’ll explore the top enterprise password policy enforcement software. These solutions include features such as configurations for password requirements, deny-listing, and Active Directory synchronization. We’ll give you some background information on each provider and the key features of their solution, as well as the type of customer that they are most suitable for.
Enzoic (formerly PasswordPing) is an identity and access provider that helps prevent account compromise by identifying accounts using vulnerable passwords. Enzoic for Active Directory integrates with Active Directory and enables organizations to enforce password policy rules that prevent their employees from using passwords that have been compromised in previous breaches. Enzoic for Active Directory is incredibly easy to install via their setup wizard, which enables all organizations to benefit from their policy enforcement and password screening technology—no matter the experience of their security personnel.
Enzoic’s Active Directory and Azure AD plugin checks new passwords against their database of known compromised credentials and prevents employees from using any of their blacklisted passwords. This database is updated daily to ensure that no users are using passwords that have been exposed, even in the most recent breaches. This helps prevent brute force and credential stuffing attacks, which utilize lists of common passwords to gain access to corporate accounts. The regular database updates also enable Enzoic to flag the compromise of any existing user passwords, so these can be updated to minimize any damages.
As well as ensuring end users are creating stronger passwords, Enzoic provides system admins with regular reports into the state of their password security and whether there are any compromised users on their network who haven’t updated their passwords. It’s important to note that, unlike some of the other solutions on this list, Enzoic does not enable to configuration of an entire password policy; rather, it allows admins to enforce the rule that known compromised passwords may now be used. We recommend Enzoic’s plugin as a useful tool for any sized organization looking specifically for password compromise alerting and to prevent the use of compromised passwords.
ManageEngine, a division of Zoho Corporation, is a provider of IT management software solutions designed to help businesses integrate and optimize their IT processes. ADSelfService Plus offers self-service password reset and account unlock, endpoint multi-factor authentication, single sign-on to enterprise applications, Active Directory-based multi-platform password synchronization, password expiration notification, and password policy enforcer. It is available as a stand-alone solution, or as a part of ManageEngine’s identity and access management solution, AD360.
With ADSelfService Plus, admins can create custom password policies that integrate seamlessly with Active Directory’s native policies, ensuring that users create strong, unique passwords that are more difficult to crack with brute force. The policy can help define the length and types of characters used in a password. Admins can also restrict palindromes, the use of consecutive characters from old passwords and predictable patterns. Admins can also create a blacklist of commonly used dictionary words and create rules that allow users to bypass complexity requirements when their password’s length exceeds a defined limit.
End users can easily reset passwords no matter where they are via the web portal or mobile app. For added security, admins enforce MFA, requiring users to verify their identities before they’re able to reset a password to help prevent account takeover attacks. The password policy can be enforced for Active Directory, Azure, GSuite and Salesforce among other user directory and password reset tools and is compatible with Windows, Mac and Linux. Additionally, the solution offers self-service password reset, a password expiry notifier, and self-service directory update tool in it’s standard edition; and Professional, which includes the Standard features plus cached credential updating and MFA for Windows, macOS, Linux, VPN and OWA logons.
Customers praise ADSelfService Plus for its ease of use and intuitive interface, and its seamless integration with Active Directory’s native policies. We recommend ADSelfService Plus as a strong tool for organizations wanting to enforce a strong password policy, as well as provision self-service password resets to reduce help desk tickets.
Ivanti is a cybersecurity provider specializing in zero trust identity, unified endpoint management and service management solutions to help organizations achieve a better overview of their network and secure all devices and users connecting to it. Password Director is Ivanti’s password policy enforcement and self-service reset software, designed to keep employee accounts secure while reducing strain on IT help desk resources. Password Director is available as a stand-alone solution, or as a part of Ivanti’s wider identity and access management solution.
Password Director features simple—but robust—password policy creation and enforcement tools which enable admins to define the length and complexity of user passwords. When a user creates a password, they’re told in real-time whether the password meets the policy requirements, so they don’t have to retrospectively strengthen them or contact the help desk if a password is denied. Admins can also add an extra layer of security to account access by enforcing multi-factor authentication via email, security questions or a one-time PIN, so users must verify their identities before they can reset a password or unlock an account, helping prevent account compromise. Password Director also provides a complete audit trail of all password reset and account unlock actions, making it easier for organizations to keep up with auditing and compliance requirements.
Ivanti Password Director supports policy enforcement within Active Directory, Salesforce and Concur, among other user directory and password reset tools, and is compatible with Windows, Mac, Linux and Unix, as well as mobile and virtual clients. Additionally, the solution offers multi-language support, making it easy to help users create stronger passwords no matter where they’re based. We recommend Password Director for organizations who want to simplify the process of creating secure, strong passwords for their end users, and add an extra layer of protection against account compromise.
JumpCloud is a cloud-based directory platform that enables organizations to secure employee access to all business resources with password policy enforcement, multi-factor authentication, and single sign-on. The solution also features reporting and monitoring tools to help admins manage these processes. JumpCloud Cloud Directory follows SAML, LDAP and RADIUS protocols and is compatible with Mac, Windows and Linux devices. It integrates at the directory level with Active Directory, Microsoft 365 and Google Workspace to ensure all organizations can manage and secure access to corporate accounts.
JumpCloud Active Directory enables admins to configure password complexity and expiration requirements to ensure all users are creating strong passwords and rotating them regularly, helping to minimize the risk of a successful brute force attack due to the use of weak or static passwords. Admins can also configure “brute force lockout” so that, if an account is attacked with brute force, the attacker won’t be able to gain access to it. Admins can set alerts for user lockouts, upcoming password expirations and expired passwords, making it easier to keep on top of unsecure accounts and mitigate any risk. As well as enforcing password policies, JumpCloud offers in-built multi-factor authentication (MFA) and conditional access policies that define which devices can access certain resources.
JumpCloud offers a range of API-based integrations that make it easy to provision new accounts and import existing ones, as well as connect the platform with your existing applications. This makes it easier to manage access to all corporate resources via one holistic platform. We recommend JumpCloud to organizations looking not only for robust password policy enforcement, but a comprehensive, central user directory platform that also lets admins enforce multi-factor authentication and single sign-on.
Netwrix provides password management solutions that help system admins manage and secure access to their companies’ networks. Password Policy Enforcer is their policy enforcement software that enables businesses to implement and manage granular policies across user and admin accounts. It ensures that all employees are using strong passwords by checking new passwords for compliance with your password policy and rejecting non-compliant passwords, helping to protect your Active Directory against brute force attacks.
With Netwrix Password Policy Enforcer (PPE), system admins can configure up to 256 local and domain password policies. Each policy can be assigned to users, domain groups and organizational units, and has over 20 highly customizable rules, including password length, age and complexity, and settings allowing partial compliance or exemption in certain circumstances. The “Dictionary” rule enables admins to disallow the use of the most vulnerable passwords with no noticeable impact on server performance. The “Compromised” rule sets PPE to compare new passwords to a database of leaked password hashes, ensuring that users aren’t using passwords compromised in previous security breaches. The Netwrix PPE tool is also easy to navigate for end users: they can see the policy when creating a new password and, if a password is rejected, they are immediately told why.
Netwrix PPE is highly flexible, offering granular customization options across the platform, including in terms of accessibility: both the policy itself and rejection messages can be customized in multiple languages. On top of this, Password Policy Enforcer integrates with your Active Directory for ease of management, as well as with Netwrix’ other password management solutions, which make it easier for users to reset or change passwords without calling the help desk. We recommend Netwrix PPE as a strong password policy enforcement software for any organization looking for granular customization and compromised password checking.
nFront Security, a division of Altus Network Solutions, is a cybersecurity provider that specializes in network security solutions. nFront Password Filter is their flagship solution, which enables organizations to define granular password policies to mitigate the risk of account compromise. nFront Password Filter supports Windows Active Directory and Microsoft SQL servers, and is trusted by organizations in over 20 countries to secure employee access to corporate assets.
nFront Password Filter offers extremely granular policy configuration options, with over 40 settings for each policy, so that admins can set requirements to meet the exact compliance and security needs of their organization. Policies include defining minimum and maximum numbers of each type of character, rejecting passwords that include usernames and a dictionary checking rule that filters new passwords against a multi-language dictionary of over two million weak passwords, and 700 million breached passwords. The filter supports policy configuration for passphrases. nFront Password Filter allows organizations to create up to 10 different policies per domain, and each policy can be assigned to different groups, i.e., regular users, system admins and security groups. Because the solution is controlled via a single Group Policy Object configuration, admins needn’t worry about policies negating one another when assigned to overlapping user groups, ensuring comprehensive protection at all account levels.
nFront Password Filter is easy to deploy via a simple wizard that installs the software on all domain controllers. Once installed, admins can select an ADM or ADMX template to get started, and immediately begin configuring their policies. We recommend nFront Password Filter as a strong solution for any sized organization that uses Windows operating systems, and is looking for highly granular password and passphrase policy configuration to meet security and compliance needs.
safepass.me is an Active Directory password security platform that enables organizations to easily create and enforce strong password policies to filter and audit user passwords. Easy to deploy with a simple setup wizard and pre-configured policies, safepass.me’s solution offers account security in as little as five minutes. safepass.me is available in three packages: Pro, Pro + Pwncheck and Enterprise, which includes full policy customization, whitelisting, custom policy creation and unlimited reporting of compromised passwords.
safepass.me Enterprise’s “Pwncheck” feature audits new passwords against a database of legacy, shared and breached passwords to ensure that employees are using the most secure passwords. This enables organizations to comply with the NIST and NCSC requirements to check user passwords against public database breaches. With the Enterprise package, admins can run unlimited Pwncheck reports, which tells them if a user’s password has been compromised since creation and needs updating. Admins can also set policies such as word or phrase exclusions, as well as allow the whitelisting or overriding of specific policies in certain circumstances. Once configured, the solution runs in the background
safepass.me Enterprise is Windows native, and can be managed via Powershell and Windows Event Logs, where a comprehensive audit trail of all password change actions is stored for compliance and auditing purposes. The solution integrates with Office365, Azure Active Directory and air-gapped networks for easy onboarding across existing directories. We recommend safepass.me Enterprise as a strong, easy-to-use solution for organizations looking to enforce a password policy that includes regular checking of compromised passwords to comply with NIST and NCSC guidelines.
Specops is a user authentication and password management provider that helps organizations secure account access via a number of Active Directory native solutions, including key recovery, password policy enforcement and multi-factor authentication. Specops Password Policy is their password policy enforcement tool, designed to help users create stronger passwords and help businesses both remain secure and meet their compliance requirements. The solution supports password and passphrase policy enforcement at a user, group or computer level, ensuring comprehensive security at all business levels.
With Specops Password Policy, admins can easily detect compromised passwords within their environment and instruct users to strengthen them, to reduce the risk of account compromise. Weak passwords are detected by the “Breached Password Detection” feature, which compares existing passwords to a database of over two billion compromised passwords and admin-customized dictionary lists, which can be used to block words specific to an organization, such as the company name or display names. Users are given real-time feedback on password strength as they create it and, if a user is required update their password, they are messaged automatically with instructions on how to update and strengthen the password, thereby reducing help desk strain. Users are also automatically notified by email when passwords are due to expire.
Specops Password Policy’s powerful automation and self-service capabilities make it easy to run once set up, greatly reducing the number of tickets raised with the IT help desk or security team while ensuring that accounts are protected against even the newest credential-related breaches. Specops supports over 25 languages, making it a strong solution for organizations with a global workforce who want to enforce a strong password or passphrase policy.
Stealthbits, merged with data security vendor Netwrix since January 2021, is a cybersecurity provider specializing in data protection via credential and access security. Their flexible platform offers a range of solutions, such as data access governance, active directory security and privileged access management, which help organizations manage and secure user access to sensitive corporate data, as well as meet compliance requirements. StealthINTERCEPT is their real-time password policy enforcement and threat protection software targeted at large organizations looking to stop credential-based attacks against their Active Directory.
Stealthbits StealthINTERCEPT offers robust password policy configuration that enables admins to set password length and complexity requirements, as well as a blacklist for well-known passwords, to help users create stronger passwords. The solution integrated directly with Have I Been Pwned’s database of compromised passwords, checking new passwords against this list and denying the use of known breached passwords to help prevent credential stuffing attacks. StealthINERCEPT also logs all password changes automatically, creating comprehensive audit logs for easier proof of compliance. As well as helping enforce password policies, StealthINTERCEPT monitors login attempts for the use of weak protocols or encryption and blocks any unauthorized access requests, as well as unauthorized changes to policies. Admins can set up custom alerts for threat detection and incident response.
StealthINTERCEPT offers a range of integrations with SIEM and UBA solutions such as Splunk and QRadar for ease of management and a more centralized overview of threats across the network. We recommend StealthINTERCEPT as a strong policy enforcement solution for larger enterprises, particularly those already considering investing in one of Stealthbits’ other identity and access security solutions.
What Is A Password Policy?
A password policy is a set of rules that improves account security by ensuring that all users create strong passwords for each of their accounts. These rules might mandate password length or complexity requirements or an account lockout threshold, for example. Usually, a password policy is enforced as part of an organization’s regulations, and users are made aware of the policy during their induction and as part of their security awareness training.
How Do You Create A Strong Password Policy?
There are a few best practices you may want to enforce as part of your password policy to ensure users are creating and using passwords securely. Here are our recommendations:
- Set a policy to for users to change passwords if your business finds evidence of a breach.
- Set a policy for password/passphrase length.
- Create a deny list of common and weak passwords that you don’t want to be used.
- Set an account lockout threshold—we suggest a lockout period of 15 minutes after 5-10 unsuccessful attempts.
- Enable inactive account locking, which defines how long an account stays logged in for when not in use.