Specops password dictionary overview and best practice
(Last updated on May 30, 2018)
As long as users continue using common/predictable passwords, dictionary attacks will continue to work. However, hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks.
Specops Password Policy supports the following dictionaries:
- Compliance (“Specops Master” list)
- Common keyboard combinations and sequences
- LinkedIn leaked password hashes
- Adobe leaked passwords
- Gawker leaked passwords
It is best practice that password policies combine dictionaries with password length requirements (at least 15 characters).
The dictionary settings can be configured in the Group Policy Management editor from User Configuration, Policies, Windows Settings, Specops Password Policy. Click Create New Password Policy, and select the Password Rules tab.
You can create or import a custom dictionary list to reject common passwords. The custom dictionary should include passwords relevant to your organization, including name, locations, services, any relevant acronyms, and even local sport teams. For a targeted list of company related words, and potential passwords, you can perform your own password audit. Tools such as L0phtcrack can help you gather a comprehensive list of poor passwords, which you can add to your custom dictionary.
Note: It is important to take into account the performance considerations with larger custom dictionaries as they need to be loaded into memory on each writeable domain controller.
You can further configure your custom dictionary with the following settings. These settings ensure that users cannot bypass the password dictionary with other predictable patterns, such as adding an exclamation mark to the password.
Part of the new password
Prevent the creation of a password that contains a word in your dictionary. For example, if your dictionary contains baseball, enabling this option will reject baseball, BASEBALL, Baseball!, Baseball1. A password change to Baseba1 will not be rejected by this setting.
This setting is recommended when using smaller dictionaries containing company, or product specific words.
Character substitution (leetspeak)
If your password policy also has character complexity requirements, users might bypass common dictionary words with character substitutions. With this feature enabled, character substitutions are converted to the original character during password validation. The following character substitutions are used for the conversion:
- @ = a
- 4 = a
- 8 = b
- 3 = e
- € = e
- 9 = g
- 6 = g
- 1 = i
- | = l
- ! = i
- 0 = o
- 5 = s
- $ = s
- § = s
- 7 = t
- 2 = z
For example, if Password is in the dictionary, enabling this option will reject a password change to p@ssword, or p4ssw0rd.
Reverse of the new password
With this feature enabled, you can reject a password change that contains the dictionary word in reverse. For example, if the dictionary contains abc123, enabling this option will also reject the reverse of the word, 321cba.
Ignore dictionary words shorter than x characters
Short dictionary words make it difficult for users to change passwords, especially if Part of the new password setting is also enabled. By default, words shorter than 4 characters in length are ignored. You can increase or decrease the number of characters with this setting.
If your custom dictionary contains short words, and the Part of the new password setting is also enabled, reducing the number of characters is not recommended.
Specops provided dictionary
In addition to custom dictionaries, Specops supports a number of downloadable dictionaries consisting of the most popular leaked password lists. As these lists tend to be quite extensive, Specops does not recommend using them with the aforementioned Part of the new password setting. In an automated dictionary attack, the hash of a leaked password is tested against the hash of other passwords. The Part of the new password setting would result in a completely different hash, deeming the password list ineffective against the attack.
The compliance dictionary (“Specops Master” list) is a combination of password lists from Daniel Miessler designed for penetration tests. The compliance dictionary comes in two versions. One version filters out passwords with less than eight characters, while the other includes passwords with less than eight characters. The latter dictionary is recommended for organizations following NIST and NCSC guidelines as passwords with eight or more characters is recommended in their respective password guidelines. The compliance dictionary includes passwords containing popular names, cities, days of the month, and other leaked secrets.
Keyboard combinations and sequences
Keyboard patterns are a visualization technique that can aid with password recognition. They are the obvious adjacent key movements, such as asdfgh, as well as parallel sequences like 1qaz2wsx. The keyboard combinations and sequences dictionary consists of the most common keyboard pattern passwords, for example qwerty.
LinkedIn, Adobe, Gawker dictionaries
Blacklist passwords leaked in data breaches by downloading the Specops provided dictionaries, including Gawker (over 180,000 passwords), LinkedIn (6.5 million password hashes), and Adobe (top 100 passwords).
Dictionaries and password expiration
To proactively check against a password dictionary, and prevent the creation of vulnerable passwords, you do so when the password is changed. If using a password dictionary to strengthen security, you need to make sure the password change is frequent enough to take into account the latest lists.
Combining dictionary settings to achieve best practice
Now that we have an overview of the dictionary settings in Specops Password Policy, let’s summarize how we can combine them to achieve best practice. Specops recommends enabling the following:
- Specops Master List (short) Dictionary: If your password policy requires passwords longer than 8 characters, you can use the Master List (short) which contains an extensive list of previously leaked passwords with 8 or more characters. By default, the Specops Master List is set to identify exact password matches.
- Custom Dictionary: Use a custom dictionary to capture specific words related to your organization or industry. We recommend enabling the partial match check, known in the UI as Part of the new password, to block users from using partial versions of the password. Enabling leetspeak is also recommended to prevent common character substitutions.
- Keyboard Patterns Dictionary: To eliminate the use of keyboard walks as passwords (for example qwerty), we recommend using the keyboard pattern dictionary.