Blacklist common passwords with dictionaries
(Last updated on August 2, 2018)
Passwords are the thin layer protecting your organization’s sensitive data from the unknown. It is no surprise that many of the recent data breaches are the result of their compromise. In 2016, three billion credentials were stolen worldwide. The cycle continues as stolen credentials in one breach are then tested against other log-ins. With a single breach opening the door to other systems, commonly via a dictionary attack, organizations need to stop users from reusing vulnerable passwords.
What is a dictionary attack?
A dictionary attack is a method of breaking into a system by entering every word, from a database of commonly used words, as a password.
The dictionary is composed of common names and words, and takes into account popular compositions, including predictable character substitutions (i.e. P@ssw0rd2017!). Attackers can also take advantage of password lists, obtained from various data breaches, and readily available online. The attack cycles through thousands of passwords at a time, comparing the hash of each guess, with the hash of the target password.
Stop poor password decisions with Specops Password Policy
Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks. Specops Password Policy supports custom, online, and hash dictionaries in password creation for Active Directory.
With Specops Password Policy, the dictionary settings can be configured from the Group Policy Management editor. Simply find the dictionary settings in the graphical interface to get started.
Start by creating a custom dictionary list to reject common passwords relevant to your organization. You might want to include your location, local sports teams, and of course company name. Additional settings allow you to block partial words, words in reverse, and their predictable compositions – this means not only blocking company name, but also its variations (i.e. Specops2017, Specops123!, IloveSpecops).
Next, you’ll want to import some online dictionaries, the same ones available to attackers. Alternatively, you can use a Specops provided dictionary which includes passwords from the Gawker (over 180,000 passwords), LinkedIn (6.5 million password hashes), and Adobe (top 100 passwords) breaches, as well as the Adobe “Top 100” worst password lists.
Using a password dictionary allows you to ease password complexity requirements, while maintaining your desired level of password security. The demand shift to the authentication system, and away from the user, is in-line with current best practices, including NIST’s Digital Identity Guidelines.
For more password security best practices, check out our Strengthening passwords against common attacks whitepaper.
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor. Bring your combinatorics book and strap in for a math lesson. Relative Password Policy Strength The password policy strength is in essence a measurement of: How many possible combinations are there of a password using…Read More
RIP Passwords – the 2017 Data Breach Industry Forecast by Experian anticipates your demise. Until then, experts are predicting “aftershock” breaches. In 2016, there were 1,093 security incidents involving loss of sensitive data, and three billion credentials stolen worldwide. The biggest contributor being Yahoo’s headline dominating confirmation of a 2014 breach, where at least 500…Read More
Don’t let the title fool you. This is not so much a melodrama – but rather about our fragmented identities sprinkled in the ubiquitous digital space. Okay, maybe a little exaggerated, but let’s see how you feel after a dozen failed passwords attempts – or could it be the wrong username? You narrow it down…Read More