Checking for partial matches in leaked password lists is not recommended – here’s why
A popular setting in Specops Password Policy (SPP) is the ability to configure partial word matching
against a custom dictionary. The feature disallows users from creating a password containing a word
from the dictionary, and prevents them from circumventing the dictionary by adding a character to
the end or beginning of a vulnerable password. This feature is especially useful for organizations that
want to prohibit passwords containing certain words, such as company name, product name, local
sports team, etc. For example, with this setting Acme corporation can block users from changing
their password to Acme, Acme1234, 123.AcMe-456, etc.
The partial word match setting (known in the UI as Part of the new password) is applicable and
recommended for custom dictionaries. As such, customers using our online dictionaries (Specops
Compliance Dictionaries, LinkedIn, Adobe, etc.) cannot use this feature. Specops does not
recommend using the partial match setting with our online dictionaries as they are intended to block
Leaked password lists tend to be quite extensive so their combination with the setting can make it
hard for users to select strong passwords. For instance, a leaked list may contain the word blah!!!!. In
an automated attack, using blah!!!! as a password would compromise the user account. However,
that doesn’t mean all passwords containing the aforementioned are vulnerable. Take the password
w03d00wblah!!!!4pDC which doesn’t appear on the list, and is considered to be strong, even though
it contains blah!!!!. Unfortunately, the partial word match setting would block such strong passwords
from being selected.
In an automated dictionary attack, the hash of a leaked password is tested against the hash of other
passwords. The partial match setting would result in a completely different hash, deeming the
password list ineffective against the attack.
If a customer still wants to leverage the partial matching feature against online dictionaries, we
recommend the following workaround.
- Downloading the desired online dictionaries from the links below:
- Adding the online dictionary as a custom dictionary by importing it as a password file from the SPP policy settings page.