Blacklist common passwords with dictionaries
(Last updated on March 8, 2018)
Passwords are the thin layer protecting your organization’s sensitive data from the unknown. It is no surprise that many of the recent data breaches are the result of their compromise. In 2016, three billion credentials were stolen worldwide. The cycle continues as stolen credentials in one breach are then tested against other log-ins. With a single breach opening the door to other systems, commonly via a dictionary attack, organizations need to stop users from reusing vulnerable passwords.
What is a dictionary attack?
A dictionary attack is a method of breaking into a system by entering every word, from a database of commonly used words, as a password.
The dictionary is composed of common names and words, and takes into account popular compositions, including predictable character substitutions (i.e. P@ssw0rd2017!). Attackers can also take advantage of password lists, obtained from various data breaches, and readily available online. The attack cycles through thousands of passwords at a time, comparing the hash of each guess, with the hash of the target password.
Stop poor password decisions with Specops Password Policy
Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks. Specops Password Policy supports custom, online, and hash dictionaries in password creation for Active Directory.
With Specops Password Policy, the dictionary settings can be configured from the Group Policy Management editor. Simply find the dictionary settings in the graphical interface to get started.
Start by creating a custom dictionary list to reject common passwords relevant to your organization. You might want to include your location, local sports teams, and of course company name. Additional settings allow you to block partial words, words in reverse, and their predictable compositions – this means not only blocking company name, but also its variations (i.e. Specops2017, Specops123!, IloveSpecops).
Next, you’ll want to import some online dictionaries, the same ones available to attackers. Alternatively, you can use a Specops provided dictionary which includes passwords from the Gawker (over 180,000 passwords), LinkedIn (6.5 million password hashes), and Adobe (top 100 passwords) breaches, as well as the Adobe “Top 100” worst password lists.
Using a password dictionary allows you to ease password complexity requirements, while maintaining your desired level of password security. The demand shift to the authentication system, and away from the user, is in-line with current best practices, including NIST’s Digital Identity Guidelines.
For more password security best practices, check out our Strengthening passwords against common attacks whitepaper.
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor….Read More
RIP Passwords – the 2017 Data Breach Industry Forecast by Experian anticipates your demise. Until then, experts are predicting “aftershock”…Read More