Password dictionary overview and best practice
(Last updated on September 16, 2020)
As long as users continue using common/predictable passwords, dictionary attacks will continue to work. Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks.
Specops Password Policy supports the following dictionaries:
- Compliance (“Specops Master” list)
- Common keyboard combinations and sequences
- LinkedIn leaked password hashes
- Adobe leaked passwords
- Gawker leaked passwords
Note: In addition to the aforementioned dictionaries, Specops Password Policy has a leaked password protection add-on. The password deny list contains several billion passwords, and is regularly updated in response to new password leaks.
It is best practice that password policies combine dictionaries, with password length requirements (at least 15 characters), and length-based password aging.
The dictionary settings can be configured in the Group Policy Management editor from User Configuration, Policies, Windows Settings, Specops Password Policy. Click Create New Password Policy, and select the Password Rules tab.
You can create or import a custom dictionary list to reject common passwords. The custom dictionary should include passwords relevant to your organization, including name, locations, services, any relevant acronyms, and even local sport teams. For a targeted list of company related words, and potential passwords, you can perform your own password audit. Tools such as L0phtcrack can help you gather a comprehensive list of poor passwords, which you can add to your custom dictionary. To identify additional password-related vulnerabilities, use Specops Password Auditor (free). The tool allows you to scan Active Directory for accounts using leaked passwords.
Note: It is important to take into account the performance considerations with larger custom dictionaries as they need to be loaded into memory on each writeable domain controller.
You can further configure your custom dictionary with the following settings. These settings ensure that users cannot bypass the password dictionary with other predictable patterns, such as adding an exclamation mark to the password.
Part of the new password
Prevent the creation of a password that contains a word in your dictionary. For example, if your dictionary contains baseball, enabling this option will reject baseball, BASEBALL, Baseball!, Baseball1. A password change to Baseba1 will not be rejected by this setting.
This setting is recommended when using smaller dictionaries containing company, or product specific words.
Character substitution (leetspeak)
If your password policy also has character complexity requirements, users might bypass common dictionary words with character substitutions. With this feature enabled, character substitutions are converted to the original character during password validation. The following character substitutions are used for the conversion:
- @ = a
- 4 = a
- 8 = b
- 3 = e
- € = e
- 9 = g
- 6 = g
- 1 = i
- | = l
- ! = i
- 0 = o
- 5 = s
- $ = s
- § = s
- 7 = t
- 2 = z
For example, if Password is in the dictionary, enabling this option will reject a password change to p@ssword, or p4ssw0rd.
Reverse of the new password
With this feature enabled, you can reject a password change that contains the dictionary word in reverse. For example, if the dictionary contains abc123, enabling this option will also reject the reverse of the word, 321cba.
Ignore dictionary words shorter than x characters
Short dictionary words make it difficult for users to change passwords, especially if Part of the new password setting is also enabled. By default, words shorter than 4 characters in length are ignored. You can increase or decrease the number of characters with this setting.
If your custom dictionary contains short words, and the Part of the new password setting is also enabled, reducing the number of characters is not recommended.
Specops provided dictionary
In addition to custom dictionaries, Specops supports a number of downloadable dictionaries consisting of a number of leaked password lists. As these lists tend to be quite extensive, their entries are enforced as they are. With the exception of the keyboard combinations dictionary, which has the Part of the new password setting enabled by default, Specops does not offer the Part of the new password or the Leetspeak settings for configuring the downloaded dictionaries. In an automated dictionary attack, the hash of a leaked password is tested against the hash of other passwords. These settings would result in a completely different hash, deeming the password list ineffective against the attack. For more information about this recommendation, click here.
The compliance dictionary (“Specops Master” list) is a combination of password lists from Daniel Miessler designed for penetration tests. The compliance dictionary comes in two versions. One version filters out passwords with less than eight characters, while the other includes passwords with less than eight characters. The latter dictionary is recommended for organizations following NIST and NCSC guidelines as passwords with eight or more characters is recommended in their respective password guidelines. The compliance dictionary includes passwords containing popular names, cities, days of the month, and other leaked secrets.
Keyboard combinations and sequences
Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as asdfgh, as well as parallel sequences like 1qaz2wsx. The keyboard combinations and sequences dictionary consists of the most common keyboard pattern passwords, for example qwerty. As previously mentioned, the dictionary automatically enables the Part of the new password setting, which prevent the creation of passwords containing a word from the dictionary.
LinkedIn, Adobe, Gawker dictionaries
Block passwords leaked from data breaches by downloading the Specops provided dictionaries, including Gawker (over 180,000 passwords), LinkedIn (6.5 million password hashes), and Adobe (top 100 passwords).
Dictionaries and password expiration
You will want to force users to change their passwords each time the password dictionary is updated – preferably anytime there is a major breach incident.
Combining dictionary settings to achieve best practice
Now that we have an overview of the dictionary settings in Specops Password Policy, let’s summarize how we can combine them to achieve best practice. Specops recommends enabling the following:
- Specops Master List (short) Dictionary: If your password policy requires passwords longer than 8 characters, you can use the Master List (short) which contains an extensive list of previously leaked passwords with 8 or more characters. By default, the Specops Master List is set to identify exact password matches.
- Custom Dictionary: Use a custom dictionary to capture specific words related to your organization or industry. We recommend enabling the partial match check, known in the UI as Part of the new password, to block users from using partial versions of the password. Enabling leetspeak is also recommended to prevent common character substitutions.
- Keyboard Patterns Dictionary: To eliminate the use of keyboard walks as passwords (for example qwerty), we recommend using the keyboard pattern dictionary.
- Specops Breached Password Protection (formerly Specops Password Blacklist) (add-on): For a continuously updated list of vulnerable passwords, enable the Specops leaked list. The list contains billions of passwords from major breach incidents, including the latest Collection leak, and the Have I Been Pwned list compiled by security expert Troy Hunt. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords.
For more information, see how to protect your organization against password lists.