This website uses cookies to ensure you get the best experience on our website. Learn more
Creating a custom password-exclusion dictionary with ChatGPT
When cybercriminals attempt to crack passwords, it makes sense to go for the lowest hanging fruit. They’re going to start by trying the most common, easy-to-guess passwords, as chances are some end users are bound to have chosen them. So it makes sense for organizations to use the same logic – block the weakest passwords and force end users to choose something stronger and harder to guess. This is where a ‘custom password dictionary’ comes in.
Custom dictionaries are specialized lists of words, phrases, and character combinations that end users are prohibited from choosing when creating their passwords. There are two elements: generic words and terms common across all organizations (think ‘admin’, ‘password,’ and ‘welcome’). But a custom dictionary should be much more than a standard word list; it should include terms specific to your organization (like product names), as well as common words and phrases associated with your industry.
Adding a custom dictionary into your password policy gives your organization an additional layer of defense against targeted credential-based attacks. However, this requires some thinking around what easy-to-guess passwords your end users may be choosing, as base terms relevant to an American law firm will be less relevant to a German bank. So how to make this process a bit easier? We’ll explain the benefits of custom dictionaries and how to use ChatGPT (or your preferred AI software!) prompts to help build your own custom password-exclusion dictionary.
How hackers use password dictionaries against you
Humans are creatures of habit — meaning many users will opt for easy-to-remember (and therefore easy-to-guess) passwords. Hackers know this, so they use dictionary attacks to target the most common weak passwords. They’ll also combine password dictionaries with brute force techniques to create hybrid password attacks, that rapidly apply iterations of character swaps and combinations to common passwords. If a hacker is targeting your organization, it’s likely they’ve added some terms specific to your organization and industry too.
Password attacks are effective because they target the weak points in an organization’s password policy. The combination of human predictability and technology makes it simple to crack or guess weak or common passwords. Hackers use large databases of breached and weak passwords to attack – so we should be using them to defend. The custom password dictionary is a key part of any password policy, as it blocks these risky passwords from being used in your environment.
Check for compromised passwords in your Active Directory
Interested in learning how many of your users’ passwords are already compromised? Run a fast and free scan of your Active Directory with Specops Password Auditor against a list of over 1 billion unique compromised passwords. Download your free tool here.
Using ChatGPT to help build your custom dictionary
To create a custom dictionary of passwords to exclude using ChatGPT or other AI software, you can follow these steps.
Publicly available password lists
There are already several out-of-the-box password dictionaries and password files that can be freely downloaded as the basis for a custom password dictionary, which you can ask ChatGPT to list. The first couple suggested by ChatGPT below are the well-known HaveIBeenPwned password list and the RockYou password data dump. There were several others suggested too, though we won’t list them all here. You can choose the ones you think look useful and combine them.
Example prompt and response within ChatGPT
Weak passwords specific to your organization
Next, you want to think about words, terms, and phrases specific to your organization. For example, your company’s name, location, products, project codenames, etc. The below is a fictional example which we’ve made – the exercise will of course be more effective when you include more specific information in your prompt. ChatGPT came up with about ten categories of potential weak passwords (some betters than others!). We’ve shared the first three sets for our fictional company below.
We also asked ChatGPT to make variations on these possible weak passwords, as often end users will simply add a capital letter and special character to a weak password to get around an organization’s password policy. You can see the output below. Again, we’ve not screenshotted everything, just the first three sets of examples that the AI came up with.
Compiling all the passwords together
Now you want to generate a file which you can add alongside the publicly available lists. You can find some technical advice on setting up your custom dictionary here. It’s also worth refining this process as you go. You’ll want to come back to this a few times a year rather than seeing this as a once and done exercise. As remember – if you can generate the list of possible passwords this easily, so can potential hackers!
Going further than custom dictionaries
The best defense against password-related cyber-attacks is a comprehensive strategy to root out weak and compromised passwords. Integrating custom dictionaries into your password policies will help enhance your organization’s security, keeping your users, data, and systems safe. But just as attackers layer their attack techniques, we need to layer our security defenses too as even strong passwords can become compromised over time and without an end user’s knowledge. The simplest way to do this for many organizations is using a third-party tool.
For example, combining your custom dictionary with Specops Password Policy’s breached password protection feature means your Active Directory will be continuously scanned against our database of over four billion known compromised passwords. The database includes passwords from real-time attack monitoring system that monitors live brute force attacks, plus malware-stolen data from our human-led Threat Intelligence team. This allows you to mount a powerful defense against dictionary attacks and password reuse.
Make your organization more secure by adding a custom dictionary and banishing over four billion compromised passwords: Try Specops Password Policy for free.
(Last updated on October 16, 2024)
Related Articles
-
What is a password dictionary attack and how do password dictionary attacks exploit weak passwords
A password dictionary attack is a brute-force hacking method used to break into a password-protected computer or server by systematically entering every word in a dictionary as a password.
Read More -
Building a password dictionary: Overview and best practices
As long as users continue using common/predictable passwords, dictionary attacks will continue to work. Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from…
Read More -
Pattern-based passwords are not secure – here is how you can block them
Password complexity is believed to increase security, but it can also motivate predictable password patterns. Passwords inspired by adjacent key movements, such as “qwerty” are extremely vulnerable.
Read More