Everyone in IT knows that end-users have a dirty habit of just adding numbers to the end of their passwords. Every time their password expires, they see that prompt and simply change the number at the end of their “real” password (it’s probably also the next number in sequence). Well, Password Firewall has a feature called DoubleCheck that stops this practice. This is how it works.
When a user picks a password, it gets checked against the Active Directory password policy. If it meets the policy, then Password Firewall checks to make sure it isn’t blacklisted. If the blacklist query comes back negative (the password is not on any blacklists) then the password is allowed. This is normal behavior.
But if you enable DoubleCheck, before allowing the password choice, another check is performed. Password Firewall will drop any digit characters (0-9) from the end-user’s password choice. Then the “new” password is queried against blacklists. If the blacklist query comes back negative this time, the password is allowed. If the blacklist query comes back positive, then we have an end-user who is choosing a known bad password, but simply adding a number or two at the end. This isn’t very secure, so Password Firewall (with DoubleCheck enabled) will make the end-user pick a new password.
Password DoubleCheck Works for Custom Blacklists and Pwned Passwords, too!
Since this process is all client-side, the DoubleCheck process works for all blacklists you are configured to query. This includes the Password RBL curated blacklist, Pwned Passwords and your own custom blacklist.
DoubleCheck makes using Custom Blacklists easier.
Enabling DoubleCheck definitely increases your security, but it also makes populating Custom Blacklists easier. Once we enable DoubleCheck, we know Password Firewall will catch any blacklisted permutations, even if they have a string of numbers at the end. So, this means that you do not need fill your custom blacklist with any permutations that end in digits! This makes generating the permutations and adding them to your custom blacklist faster and easier! Now that’s a win-win.
