Password dictionary overview and best practice

As long as users continue using common/predictable passwords, dictionary attacks will continue to work. Hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users from selecting passwords that are susceptible to attacks.

Specops Password Policy supports custom dictionaries, and also has a leaked password protection add-on. The password deny list contains several billion passwords, and is regularly updated in response to new password leaks.

It is best practice that password policies combine dictionaries, with password length requirements (at least 15 characters), and length-based password aging.

The dictionary settings can be configured in the Group Policy Management editor from User Configuration, Policies, Windows Settings, Specops Password Policy. Click Create New Password Policy, and select the Password Rules tab.

Custom dictionaries

You can create or import a custom dictionary list to reject common passwords. The custom dictionary should include passwords relevant to your organization, including name, locations, services, any relevant acronyms, and even local sport teams. For a targeted list of company related words, and potential passwords, you can perform your own password audit. Tools such as L0phtcrack can help you gather a comprehensive list of poor passwords, which you can add to your custom dictionary. To identify additional password-related vulnerabilities, use Specops Password Auditor (free). The tool allows you to scan Active Directory for accounts using leaked passwords.

Note: It is important to consider performance implications with larger custom dictionaries as they need to be loaded into memory on each writeable domain controller.

Settings

You can further configure your custom dictionary with the following settings. These settings ensure that users cannot bypass the password dictionary with other predictable patterns, such as adding an exclamation mark to the password.

Part of the new password

Prevent the creation of a password that contains a word in your dictionary. For example, if your dictionary contains baseball, enabling this option will reject baseball, BASEBALL, Baseball!, Baseball1. A password change to Baseba1 will not be rejected by this setting.

This setting is recommended when using smaller dictionaries containing company, or product specific words.

Character substitution (leetspeak)

If your password policy also has character complexity requirements, users might bypass common dictionary words with character substitutions. With this feature enabled, character substitutions are converted to the original character during password validation. The following character substitutions are used for the conversion:

• @ = a
• 4 = a
• 8 = b
• 3 = e
• € = e
• 9 = g
• 6 = g
• 1 = i
• | = l
• ! = i
• 0 = o
• 5 = s
• $ = s
• § = s
• 7 = t
• 2 = z

For example, if Password is in the dictionary, enabling this option will reject a password change to p@ssword, or p4ssw0rd.

Reverse of the new password

With this feature enabled, you can reject a password change that contains the dictionary word in reverse. For example, if the dictionary contains abc123, enabling this option will also reject the reverse of the word, 321cba.

Ignore dictionary words shorter than x characters

Short dictionary words make it difficult for users to change passwords, especially if Part of the new password setting is also enabled. By default, words shorter than 4 characters in length are ignored. You can increase or decrease the number of characters with this setting.

If your custom dictionary contains short words, and the Part of the new password setting is also enabled, reducing the number of characters is not recommended.

Combining dictionary settings to achieve best practice

Now that we have an overview of the dictionary settings in Specops Password Policy, let’s summarize how we can combine them to achieve best practice. Specops recommends enabling the following:

• Custom Dictionary: Use a custom dictionary to capture specific words related to your organization or industry. We recommend enabling the partial match check, known in the UI as Part of the new password, to block users from using partial versions of the password. Enabling leetspeak is also recommended to prevent common character substitutions.
• Specops Breached Password Protection (add-on): For a continuously updated list of vulnerable passwords, enable the Specops leaked list. The list contains billions of passwords from major breach incidents, including the latest Collection leak, and the Have I Been Pwned list compiled by security expert Troy Hunt. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords.

For more information, see Specops Password Policy and its Active Directory password screening service.