Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
IBM cat brain simulation dismissed as 'hoax' by rival scientist
Microsoft issues security advisory on IE exploit, patch in works
Cisco pedigree wins over VCs
Google Chrome: Redefining end user computing
De-Worm Your iPhone
Microsoft begins paving path for IT, cloud integration
Ciena will pay $769M for Nortel's metro Ethernet business
Malware enlists jailbroken iPhones for botnet
Check Point tackles Web 2.0 apps and social-site widget control
Cisco's free iPhone app grabs security feeds
New attack fells Internet Explorer
Global warming research exposed after hack
The broadband gap: Is FCC grabbing for the wrong tool?
Verizon suit a 'gamble worth taking' for AT&T, says IP lawyer
IBM smartphone software translates 11 languages
Security /

Review: MDD password bouncer

MDD's Password Bouncer helps network managers enforce strong password policies.

Related linksToday's breaking news
Send to a friendFeedback

By Mandy Andress
Network World, 08/06/01

Because passwords are the lone level of protection against unauthorized access on most systems, their use is essential and the selection of strong passwords is required. Even though the importance of passwords is well-known and often communicated to users with password policies and security awareness programs, enforcing password selection policies, especially at the operating system level, has been difficult. MDD's Password Bouncer helps solve this problem by providing a way to seamlessly enforce strong password policies on a Windows NT or 2000 network.

Password Bouncer is an effective solution. It is easy to install, simple to configure and doesn't add any undue burden to users. It sits on the domain controller as a Dynamic Link Library (DLL) and uses a management graphical user interface to create and modify password policies. To enforce strong password policies, Password Bouncer lets administrators require mixed-case letters, numbers or special characters in specific positions, and reject palindromes and passwords that include user names. Password Bouncer also contains a 300,000-word English dictionary and 4,000-word list of proper names that can be checked during the password creation process (an upcoming edition will provide multilanguage dictionary files). Any password that is found in either of these lists is rejected. Because users are creating stronger passwords, there is a good probability they will just write them down or forget them more often. Password Bouncer does not address these issues; they need to be dealt with at a policy level in organizations. Users need to become accustomed to selecting strong passwords. When they do, it will just become second nature to them.

Details on our testing
Scorecard and NetResults

Components

Password Bouncer includes three main components: the client, the service and the DLL. The three work together to deploy and enforce strong password policies. The client is the management interface that is used to obtain licenses, configure password policy and send requests to the service to publish the new password policy to all domain controllers. The service, which can run on any Win 2000 or NT workstation, member server or domain controller (and must run under a domain administrator account), updates the password policy on all domain controllers. The DLL sits on each domain controller and enforces the password policy each time a user's password is reset.

Installation of Password Bouncer was very simple. The program can either be installed completely on the domain controller, or the client and service can be installed on a different system for easier administrative access. Using a standard Windows installer, the entire process took about 10 minutes. During installation, you can choose the domains you want protected. Multiple domains can be protected, but the appropriate trust relationships must be in place for multidomain coverage.

After copying the DLL files and rebooting the domain controllers, you can then define the password policy. Password Bouncer extends and strengthens the existing Win 2000 or NT password policy. For example, with Win 2000, the domain password policy requires a password to have at least three of the four following characteristics: upper case, lower case, numeric and special character. Password Bouncer extends this policy by letting administrators specify the position of these characters _within the password. Once this policy is defined (or subsequently modified), the service will update the domain controllers every 24 hours.

After installation, Password Bouncer takes effect on the next password change. If a user selects a password that does not adhere to the implemented password policy, he receives an error message. This error message does not provide much help to the user. Another product, Password Policy Enforcer by TP Information Systems, lets administrators customize error messages to help users understand why their password is not valid. Having this feature on Password Bouncer would greatly improve its usability.

Password Bouncer also only allows one password policy for all accounts over all domains being protected. Password Policy Enforcer allows multiple policies for domains, and Password Bouncer should also include this feature. Some accounts are more sensitive than others and require a strong password policy. If you used Password Bouncer to enforce all password requirements, you would require all accounts to use the stronger password policy, which may not be necessary for all users.

Although Password Bouncer is effective in enforcing a strong password policy, it adds a bit of delay in the password change process. This process is not critical, so a delay of a few seconds is not that great of an inconvenience. Additionally, any service accounts or scripted passwords need to be analyzed and changed to adhere to the new password policy.

Even though the installation process is simple, the server reboot and changes in password policy implemented by this product may require careful planning and user education. The Password Bouncer documentation is surprisingly thorough and includes a step-by-step process to help deploy Password Bouncer throughout the company.

Conclusion

Password Bouncer is an excellent tool to help enforce a strong password policy across a company. At $1,000 for an unlimited number of users, it is one of the most cost-effective security solutions. This is certainly money well spent because recovering from a security breach due to a "cracked" password would certainly cost more than $1,000. While Password Bouncer works well, a few feature changes, such as customizable error messages and support for multiple password policies would make its enterprise functionality that much greater.


Password Bouncer 1.0
SCORE: 4.35 COMPANY: MDD (800) 609-8610, www.mddinc.com PRICE:$995 for unlimited users.PROS: Easy to install; no client configuration required.CONS: Can’t customize error messages; can’t have multiple policies; requires domain controller reboot.
Password Bouncer
Effectiveness 25% 5
Ease of use 20% 4
Features 20% 3
Installation 20% 5
Cost 10% 5
Documentation 5% 4
Total score 4.35
SCORING KEY: 5: Exceptional showing in this category. Couldn’t be better. May define the standard for excellence in this category. 4: A very good showing in this category. Although there may have been room for improvement, this product was much better than average. 3: An average showing in this category. The product was neither especially good nor exceptionally bad. 2: A below average showing in this category. The product lacked some features or had lower performance than other products, or than was expected from a product in this category. 1: Considerably sub-par, or lacking features being reviewed. A 1 is the lowest score that can be awarded.

RELATED LINKS

Andress is president of ArcSec Technologies, a security consulting firm. Her book, Surviving Security, was recently published. She can be reached at mandy@arcsec.com.

In real life, smart cards are gaining on passwords alone
As you plan your hardware and software rollouts, consider at least prestaging card readers or other devices so you'll be ready for this technology.
Network World, 07/16/01.

Password policies
Connectotel released a new version of its Password Policy Manager for Novell Directory Services (NDS). This is a security add-on which provides centralized management and real-time enforcement of password policies.
Network World Fusion newsletter, 09/27/00.

Novell upgrades Single Sign-on
Latest version adds new features for managing multiple user names and passwords.
Network World, 01/15/01.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.