Flexible password complexity filters for Active Directory
WizardSoft ActivePasswords is a lightweight (smaller than 1 MB), but powerful and fully customizable password strength utility for Microsoft Active Directory networks. It gives you fine-grained control of Active Directory password complexity enforcement. ActivePasswords makes it easy to centrally manage multiple password complexity policies for Active Directory users in a selection of security groups and/or organizational units. The tool allows you to comply easily and affordably with the NIST 800-63 password guidelines without disrupting your existing Windows network.
some of our customers:
Force use of strong passwords
Our tool ensures that your end-users use strong passwords while limiting help desk calls related to Windows passwords. It's a powerful password rules validator for Windows Server. Native code means fast execution and reliable in use. ActivePasswords uses official Windows API hooks to achieve its goals and is unicode aware. It needs only one DLL file, which translates to easy installation and configuration with no software bloat on your Domain Controller servers.
A -no questions asked- trial is available for download . You also want to read the QuickStart Manual. If no license key is entered, ActivePasswords will be fully functional for 30 days after installation. After this period ActivePasswords will go into a basic run-mode and your servers will continue to function like they did before installing ActivePasswords.
Optionally configure actions to run when a password is changed. This can be used to sync the AD password to other applications or websites like Office 365 and Google Apps.
Real fine-grained password settings
Apply detailed password settings to one or more security groups and/or organizational units. If an organizational unit is specified, the password policy will apply to any user in or under this OU. It integrates with and manages its own MS FGPP's (used for things like max. password age, lock-out threshold, etc.); everything configurable centrally through group policy management.
Password change reminder
Optionally run the small PCR tool (PasswordChangeRequest) on client computers. It periodically asks the user to change his password, starting 8 days before her password expires. Users see a customizable top-level message pop-up requesting a password change. This is much better than the behaviour of Windows: it displays a small balloon tip for a short moment that says 'consider changing your password'…
Disable inactive accounts
User accounts that have not logged on for a specified number of days can be automatically disabled to prevent abuse.
With ActivePasswords you decide what complexity requirements must be satisfied when a domain password is changed or reset. Settings are centrally configured with Group Policy.
Apply different password policies to targeted Active Directory security groups and/or organizational units. In a school environment students can have a relatively simple password while teachers are forced to use strong passwords. All password configuration, including the Windows fine-grained password settings, happens at one central location: the group policy management console.
ActivePasswords Settings (all optional)
- Minimum & maximum password length
- Minimum number of words (enforce the use of a password phrase)
- Maximum number of repeated characters (prevents a password like 'Aaaaaaa1')
- Maximum number of sequential characters (prevents '1234Dcba')
- Minimum number of upper case letters
- Minimum number of lower case letters
- Minimum number of special characters (like @, %)
- Minimum number of character categories
- Must not contain a space
- Must not contain any vowels (aeiou)
- Only allow specified characters
- Forbid specific characters
- Does not contain any part of the username or first or last name
- Does not contain any custom forbidden/denied words (read from utf-8 text file or group policy)
- Does not contain any obfuscations/alterations of forbidden words or name
- Validate the password against a regular expression ('abC' will pass '[a-z]b[A-Z]'; 'abc' won't)
- Validate the password on change and optionally reset event
- Have I Been Pwned web service blacklist check for compromised passwords
- Password change policy
- Password lockout policy
ActivePasswords has no problem with an forbidden-word-dictionary that contains ten-thousands of words. These words may not make up more than a configurable percentage of the password. E.g. myPassword12 will not pass the test if the word password is in the list.
ActivePasswords rule example:
- the password has at least 2 character categories (e.g. upper and lowercase or lowercase and number)
- may not contain the username, first or last name
- is at least 8 characters long
- may not contain the common words like 'password, welcome, login and company' or obfuscations of these words like 'P@ssw0rD'
- is checked on password change and reset events
Installation is simple: install ActivePasswords on each of your domain controllers (Windows Server 2008(R2), 2012(R2), 2016, 2019 and 2022 are fully supported), reboot, configure the group policies to your liking and you are done. No need to touch desktops and laptops. You can keep track of password related events through the Windows event viewer and log files.
ActivePasswords pricing is based on the number of enabled and targeted Active Directory users and is subscription based. A subscription gives you usage rights, updates and e-mail support for 1 year. Only $1.30 (€1.10) per user per year! (a minimum amount of 50 licenses applies)
We offer a substantial discount to educational institutions. Contact us by e-mail for discount details using your campus e-mail address.
Please contact us via email@example.com should you have any questions or suggestions!
*Digital River GmbH (Share-it) and 2Checkout (Avangate) are our sellers and handle payment and invoicing.