Modern password policies are made up of many different elements that contribute to its effectiveness. One of the elements of an effective current password policy uses what is called a personalized dictionary which filters certain words that are not allowed as passwords in the environment.
Using custom dictionaries, organizations can dramatically improve their cybersecurity posture and filter out obvious passwords that provide poor security to user accounts.
When using password dictionaries in your password policy, there are many different approaches to consider. First, let’s consider creating a custom dictionary for your password policy, including general guidance on how these are created, configured, and how you can easily use custom dictionaries in an Active Directory environment.
Why customize your dictionary?
Custom dictionaries were born out of the need to “think like a hacker thinks”. Compromised credentials are one of the leading causes of malicious data breaches at all levels. They are also one of the most expensive for organizations. IBM Cost of a 2020 data breach report, compromised credentials increased the average total cost of a breach from nearly $ 1 million to $ 4.77 million.
Hackers often use credential-based attacks to compromise weak passwords, passwords that have already been broken, common passwords used in a specific industry, or common spelling transformations.
Unfortunately, we all tend to use passwords that we can easily remember. Additionally, end users often add common numbers or symbol patterns at the beginning or end of passwords to bypass password complexity requirements.
Human nature and the technological tools available make it easy to decipher or guess weak, standard or expected passwords. While attackers have access to large databases of broken and otherwise common or weak passwords, the “good guys” can implement a password file in one good way: the custom dictionary.
The Custom Password Dictionary helps keep passwords secure in your environment.
When implemented, the custom dictionary provides a means to filter the chosen password or end users to disallow passwords or variations of passwords contained in the custom dictionary.
So, aren’t all passwords that meet Active Directory password policy requirements secure? Not exactly.
While the password policy requirements set by the Active Directory Password Policy are a good place to start, they leave a lot to be desired when you consider cracking and other password tools that cybercriminals do. use today.
For example, a password policy might require that an end user meet the following requirements:
- At least 8 characters
- Password must meet complexity requirements (must contain uppercase, lowercase, numbers and non-alphabetic characters such as symbols)
|A password policy set in Active Directory Domain Services|
Using the native Active Directory password policy settings above, a user can potentially set passwords such as:
- P @ $$ w0rd123
- Leave me $ 1
The above passwords meet all criteria defined under the length and complexity requirements.
However, they are weak and easy to guess for different reasons. As the examples above show, these can be known variations of common words such as “Password”, related to your company or industry name, or a common phrase found in a hacked password database such as “Letmein1 $”.
Downloadable custom password dictionaries
You may not want to “reinvent the wheel” when it comes to collecting passwords to use in a custom dictionary for your password policy. There are ready-made password dictionaries and password files that can be downloaded for free as the basis of a personalized password dictionary. An example includes the Have i been condemned password list: Have i been pwned: pwned passwords.
Businesses can also use readily available tools such as Crunch, available in Kali Linux or installable from your Linux distribution repository. In Ubuntu, you can install Crunch using the command:
- sudo apt-get install crunch
It creates a list of words that can be used for brute force or password strength auditing by SecOps teams in your organization. In addition, these readily available tools can be used as a basis for creating your own custom password lists in your environment.
Using a .dlls password filter
However, this is not limited to simply creating a password dictionary file. Organizations that want to implement their own custom password filter .dll file, as well as words containing their company name or industry specific keywords, must have the talent and development resources to create the .dll file required for the password filter functionality in Active Directory.
Microsoft describes the process of registering and installing a .dll password filter here: Installing and Registering a Password Filter DLL – Win32 Applications | Microsoft Docs.
Custom dictionary solutions in your password policy tools
Is there an easy way to create a custom dictionary for your password policy? Specops Password Policy simplifies the implementation of custom dictionaries for your password policies and allows adding more than 2 billion known broken passwords as well as any custom terms such as name or password to a password policy tool. the location of your business.
High-quality password policy tools like this integrate with your native Active Directory password policies implemented at the Group Policy level.
With simple checkboxes, the Specops solution allows IT administrators to easily and quickly implement multiple password dictionaries as part of the password rules configured for their organization.
|Specops Password Policy Dictionary Settings|
|Configuring the custom dictionaries setting in the Specops password policy|
Configuration of the Use custom dictionaries allows you to import password files, hash files or create new dictionaries directly from the interface.
In the Downloaded Dictionaries setup, administrators have access to readily available password dictionary files which can be downloaded directly from the Specops Password Policy interface.
|Downloading Password Dictionary Files from Specops Password Policy Interface|
Specops Password Policy makes it easy to configure, implement and maintain custom dictionary files for your organization’s password policy, with no programming knowledge or expertise required.
Start using a custom dictionary in your password policy
Today, businesses need to strengthen account password security to strengthen their overall cybersecurity posture. Using custom dictionaries as part of their password policies is a great way to incorporate an offensive strategy into your cybersecurity efforts.
However, implementing a custom password filter .dll file in the environment requires the development of the custom password filter .dll file required by Active Directory. This development can present obstacles for companies implementing custom dictionaries such as cost, maintenance and efficiency blockers.
The Specops Password Policy allows for the implementation of multiple custom dictionary files with just a few clicks, thus eliminating the complexity and security concerns associated with its correct implementation.
Learn more about Specops Password Policy or start your free trial.