How to protect your data from password lists

How can a simple file containing words found in a dictionary threaten your organization’s security program? In a dictionary attack, any wordlist can be systematically entered as a password to break into any account. The wordlist, also known as password list, is created from real-life database leaks – which could include billions of unique records.

Hackers have access to numerous collections of usernames and password combinations from multiple breaches including Yahoo!, LinkedIn, Dropbox, and the latest Collection leak. A single breach can open the door to other systems anytime a leaked or vulnerable password is reused across accounts.

Hackers are not the only ones who can take advantage of a password dictionary. Organizations can stop the ripple effect by using the same password files to block vulnerable passwords in their organization. In practice, this means enforcing a password blacklist for Active Directory that would check new passwords against the same password lists available to hackers. This prevents users from selecting passwords that are susceptible to dictionary attacks.

What you need to know about password attacks

Organizations employ a multitude of security controls to decrease their attack surface against password-related threats. Unfortunately, even with advanced password policy settings, Active Directory remains vulnerable.

Hackers have always targeted end-users because they are thought to be the weakest link. Their tactics prey on human interaction, where they trick users into breaking standard security practices. Now, armed with a never-ending collection of credential data, they are banking on user predictability and password reuse.

In addition to carefully crafting phishing emails, and cycling through millions of random password permutations in a brute force attack, hackers can also employ a list of high-probability passwords. The passwords can be generated with popular composition patterns, such as character substitutions (P@$$w0rd), and common keyboard patterns (qwerty123). If the attack is aimed at a specific organization, they will create a password list using words relevant to the organization, including name, location, services, relevant acronyms, or even local sports teams. With a finite and targeted number of guesses, they can hijack the account without triggering a lockout.

For more information about this hacking method, see What is a Password Dictionary Attack?

NIST password blacklist

When it comes to password security, users can’t seem to deviate from predictable patterns. The National Institute of Standards and Technology (NIST) addresses this in their Digital Identity Guidelines. Instead of blaming password predictability on users, NIST requires more of the authentication systems people use. For most organizations, this means Active Directory.

As credentials exposed in one breach can open the door to other systems, NIST requires screening prospective passwords against a list of blacklisted (leaked) passwords. If a match is found, the password shouldn’t be allowed. The password blacklisting recommendation is shared with other compliance bodies including the National Cyber Security Centre in the UK.

In addition to password blacklisting, NIST recommends getting rid of other common practices that hinder user experience. For example, don’t force users to change their password unless there is evidence of compromise. For more information about the recommendations, see our summary of the NIST password guidelines.

NIST Special Publication 800-63B
Section 5.1.1.2: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

Why a Blacklist is important

Until recently, stolen passwords were sold on the dark web for thousands of dollars. Now they are available for free, in plain-text, and billions strong. This means that any unskilled hacker can break into an account by manually testing a leaked username and password against online logins. Alternatively, they could use a list of common passwords and test against random usernames in the hopes that someone in the organization is using a weak password. In response, organizations need to blacklist the same passwords for their users – or risk data exposure.

You can enhance your password settings by not only blocking leaked passwords, but also high-probability passwords within your organization. Active Directory Password Blacklisting allows you to relax policy requirements such as character complexity, and expiration periods, while maintaining your desired level of security.

It takes a single leaked password to create risk and potential compromise. While a limited password blacklist of 1000 passwords offers some protection, a larger list will consider billions of passwords, some of which are considered weak solely because they can be found on a leaked password list.

Blacklisting billions of leaked passwords in your organization can be a manual process. To stay protected against new threats, organizations will need to continually grow and update their list. A third-party password blacklisting service can simplify the process of managing the list of leaked passwords. With the blacklisting service protecting your organization from leaked passwords, you can focus on building a custom dictionary to cover more targeted attacks. The custom dictionary should include passwords relevant to your organization – anything containing company name, locations, services, industry terms, and any relevant acronyms. With the right solution in place, you can apply additional settings to ensure users cannot bypass the dictionary with predictable patterns, such as character substitution, the password in reverse, or even adding a number or exclamation mark to the end of the password. For more information, see our Best practices for configuring a custom dictionary.

The 2012 Dropbox breach was the result of password reuse – a Dropbox employee’s corporate account was reused on LinkedIn (which was obtained via another breach).

Conclusion

Specops Password Policy includes an Active Directory Password Blacklisting service with a continuously updated list of vulnerable passwords. The list contains billions of passwords from major breach incidents, including the latest Collection leak, and the Have I Been Pwned list compiled by security expert Troy Hunt. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords. Specops Password Policy makes it easy to keep out vulnerable passwords, and comply with the latest password blacklisting guidelines.