Until recently, stolen passwords were sold on the dark web for thousands of dollars. Now they are available for free, in plain-text, and billions strong. This means that anyone can break into an account by manually testing a leaked username and password against online logins. Alternatively, they could use a list of common passwords and test against random usernames in the hopes that someone in the organization is using a weak password. In response, organizations need to block the same passwords for their users – or risk data exposure.
You can enhance your password settings by not only blocking leaked passwords, but also high-probability passwords within your organization. Active Directory password screening allows you to relax policy requirements such as character complexity, and expiration periods, while maintaining your desired level of security.
It takes a single leaked password to create risk and potential compromise. While a limited password list of 1000 passwords offer some protection, a larger list will consider billions of passwords, some of which are considered weak solely because they can be found on a leaked password list.
Blocking billions of leaked passwords in your organization can be a manual process. To stay protected against new threats, organizations will need to continually grow and update their list. A third-party password screening service can simplify the process of managing the list of leaked passwords. With the service protecting your organization from leaked passwords, you can focus on building a custom dictionary to cover more targeted attacks.
A custom dictionary should include passwords relevant to your organization – anything containing company name, locations, services, industry terms, and any relevant acronyms. With the right solution in place, you can apply additional settings to ensure users cannot bypass the dictionary with predictable patterns, such as character substitution, the password in reverse, or even adding a number or exclamation mark to the end of the password. For more information, see our Best practices for configuring a custom dictionary.