How to block common patterns in Active Directory passwords

Between work and personal accounts, the average person may have dozens of passwords to remember. Strong password hygiene indicates a unique password for each account, but when users have so many passwords to remember, they come up with a system for managing them: connecting passwords to personal information, password reuse, and password composition patterns. When prompted to change those passwords, they often get away with a small modification to the base word.

Users often use a base word when they build their password. The base word can be used on different accounts, with small tweaks to accommodate different password policies.  If they are required to change their password, they can increment a number at the end, or replace the last character. There are obvious security concerns with this user behavior. Yet, the basic password history and complexity capabilities found in Active Directory Password Policies do not protect organizations from the use of incremental passwords.

Top 10 base passwords

Our research team took a look at a subset of over 4.6 million passwords collected over the span of a few weeks in October 2022 from our honeypot system – one of our sources for compromised passwords blocked by Specops Password Policy and Breached Password Protection. The data shows how common password patterns are used in live attacks. The following are the most common terms used to attack networks across multiple ports.

• password
• admin
• welcome
• p@ssw0rd
• qaz2wsx
• homelesspa
• p@ssword
• qwertyuiop
• q2w3e4r5t
• q2w3e4r

These base words, some of which are inspired by keyboard patterns, should not come as a surprise. Organizations should prevent the use of common base words, as well as any composition patterns in Active Directory.

Block patterns in Active Directory passwords

Specops Password Policy is an effective tool that allows businesses to protect against weak and breached passwords. You can create your own custom dictionary to block custom base words, such those related to your organization, like company name, location, local sport teams, and more. You can also enable leetspeak blocking to prevent character substitution attempts from bypassing the dictionary.

These settings in Specops Password Policy can prevent the use of base words, and common password composition patterns:

• Block the use of incremental passwords
• Require a minimum number of changed characters
• Disallow reusing part of the current password

In addition to these features, Specops Password Policy provides the following:

• Breached password protection in Active Directory
• Database of over 4 billion compromised passwords
• Regular Expressions support
• Granular, GPO-driven targeting for any GPO level, computer, user, or group population

Download a free trial version of Specops Password Policy.