Building a password dictionary: Overview and best practices

As long as users continue using common/predictable passwords, dictionary attacks will continue to work. Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks. We’ll run through some tips and best practices on building your own password-exclusion dictionary, so end users are blocked from using the weak and compromised credentials attackers seek to exploit. 

The dictionary settings can be configured in the Group Policy Management editor from User Configuration, Policies, Windows Settings, Specops Password Policy. Click Create New Password Policy, and select the Password Rules tab.

Building custom dictionaries

You can create or import a custom dictionary list to reject common passwords. The custom dictionary should include passwords relevant to your organization, including name, locations, services, any relevant acronyms, and even local sport teams. For a targeted list of company related words, and potential passwords, you can perform your own password audit. Tools such as L0phtcrack can help you gather a comprehensive list of poor passwords, which you can add to your custom dictionary. To identify additional password-related vulnerabilities, use Specops Password Auditor (free and read only). The tool allows you to scan Active Directory for accounts using leaked passwords.

You can also use AI tools such as ChatGPT to help generate a password-exclusion list specific to your own organization and industry. For example, product names. This will help stop end users creating passwords related to your business that could be vulnerable to targeted cracking attacks. 

Note: It is important to consider performance implications with larger custom dictionaries as they need to be loaded into memory on each writeable domain controller.

How to configure a dictionary in settings

You can further configure your custom dictionary with the following settings. These settings ensure that users cannot bypass the password dictionary with other predictable patterns, such as adding an exclamation mark to the password.

Part of the new password

Prevent the creation of a password that contains a word in your dictionary. For example, if your dictionary contains baseball, enabling this option will reject baseball, BASEBALL, Baseball!, Baseball1. A password change to Baseba1 will not be rejected by this setting.

This setting is recommended when using smaller dictionaries containing company, or product specific words.

Character substitution (leetspeak)

If your password policy also has character complexity requirements, users might bypass common dictionary words with character substitutions. With this feature enabled, character substitutions are converted to the original character during password validation. The following character substitutions are used for the conversion:

  • @ = a
  • 4 = a
  • 8 = b
  • 3 = e
  • € = e
  • 9 = g
  • 6 = g
  • 1 = i
  • | = l
  • ! = i
  • 0 = o
  • 5 = s
  • $ = s
  • § = s
  • 7 = t
  • 2 = z

For example, if Password is in the dictionary, enabling this option will reject a password change to p@ssword, or p4ssw0rd.

Reverse of the new password

With this feature enabled, you can reject a password change that contains the dictionary word in reverse. For example, if the dictionary contains abc123, enabling this option will also reject the reverse of the word, 321cba.

Ignore dictionary words shorter than x characters

Short dictionary words make it difficult for users to change passwords, especially if Part of the new password setting is also enabled. By default, words shorter than 4 characters in length are ignored. You can increase or decrease the number of characters with this setting.

If your custom dictionary contains short words, and the Part of the new password setting is also enabled, reducing the number of characters is not recommended.

Combining dictionary settings to achieve best practice

Now that we have an overview of the dictionary settings in Specops Password Policy, let’s summarize how we can combine them to achieve best practice. Specops recommends enabling the following:

  • Custom Dictionary: Use a custom dictionary to capture specific words related to your organization or industry. We recommend enabling the partial match check, known in the UI as Part of the new password, to block users from using partial versions of the password. Enabling leetspeak is also recommended to prevent common character substitutions.
  • Specops Breached Password Protection (add-on): For a continuously updated list of vulnerable passwords, enable the Specops leaked list. The list contains billions of passwords from major breach incidents, including the latest Collection leak, and the Have I Been Pwned list compiled by security expert Troy Hunt. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords.

Get help from third-party tools

Specops Password Policy supports custom dictionaries, and also has a leaked password protection add-on. The password deny list contains over four billion passwords, and is regularly updated in response to new password leaks. It helps with other best practices, such as password length requirements (at least 15 characters), and length-based password aging. Try Specops Password Policy for free

(Last updated on January 6, 2025)

Back to Blog

Related Articles

  • New MFA requirements for PCI password compliance

    The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…

    Read More
  • Leetspeak passwords – predictable and crackable

    Leetspeak enables users to create passwords that are easy to remember, and easy crack. By preventing users from utilizing character substitution during password creation, Specops Password Policy can guide users towards stronger passwords.

    Read More
  • NIST password guidelines: Full guide to NIST password compliance

    Many look to the National Institute of Standards and Technology (NIST) guidelines as the gold standard when it comes to cybersecurity best practices. But as you’ve likely heard, NIST has updated its password guidelines in the latest draft of their well-known SP 800-63B policy document. This is in an attempt to provide more protections against…

    Read More