Using a custom dictionary allows you to add, configure, and remove password dictionaries and password hash dictionaries. The password dictionary is checked each time there is a password change in Active Directory. A new password will be rejected if it is found in the dictionary. The password hash dictionary contains hashed passwords that can be used to test against the hash of a new password. For example, testing against leakedpassword hashes.
If you have imported a Password File you can configure various settings such as partial word matching, and reversed words. If you have imported a Password Hash File you will need to specify the hash function for the dictionary words.
The words in the dictionary file must be separated by line breaks.
- In the Group Policy Management Editor, right-click the GPO you want to target and choose Edit...
- expand User Configuration, Policies, Windows Settings node, and select Specops Password Policy. Click Create New Password Policy or Configure Password Policy.
- Select the Password Rules
- Enable the Use custom dictionaries checkbox, and click Manage…
- You will have the option to import a Password File, Password Hash File, or create a New Dictionary from the editor.
- If Password File is selected, browse to the password file you want to use.
- If Import Password Hash File is selected, browse the hash file you want to use.
- If New Dictionary is selected, you will be able create your own dictionary by adding words to the dictionary editor. Type the words you want to add in the text box.
- If Password File, or New Dictionary was selected, you can configure additional settings. On the desired dictionary, click Configure Selected, and expand Options for the following settings:
- Part of the new password: If enabled, attempting to change to a password containing a word in the dictionary will be rejected. For example, if the password dictionary contains “Specops”, enabling this option will reject a password change to “specops”, “SPECOPS”, “Specops”, “Specops1”, “1Specops”. A password change to “Specop1” or “cops” will not be rejected by this setting.
- Character substitution (leet speak): If enabled, character substitutions will be converted to the original character when validating password. For example, if the word “Password” is in the dictionary, enabling this option
will reject a password change to “p@ssword”, or “p4ssw0rd”.
The following character substitutions are used for the conversion:
å, Å, ä, Ä, â, Â, à, À, á, Á, @, 4 = a
8 = b
é, É, è, È, ë, Ë, ê, Ê, 3, € = e
6, 9 = g
î, Î, Ï, ï, 1 = i
|, î, Î, Ï, ï = l
ô, Ô, ö, Ö, 0 = o
5, $, § = s
ù, Ù, ú, Ú, û, Û, ü, Ü, = u
7 = t
2 = z
I, ! = 1
- Reverse of the new password: If the password dictionary contains “abc123”, enabling this option will also reject the reverse of the word, i.e. “321cba”.
Enabling “Part of the new password” or “Reverse of the new password” when using large dictionaries does not necessarily increase security and can make it difficult for end users to create passwords, as good passwords may be rejected. An exception can be made for “Part of the new password” when using smaller dictionaries containing company/product specific words.
- Ignore dictionary words shorter than x characters: By default, words equal to, or shorter than, 3 characters in length will be ignored.
- If Import Password Hash File is selected, specify the hash function for the dictionary words. This value must match the hash that was used when hashing the passwords in the dictionary to import. If the value does not match, the dictionary check will fail.
For more information about password dictionaries, and best practice recommendations for the aforementioned settings, click here.