by The Hacker News
Modern password policies are comprised of many different elements that contribute to its effectiveness. One of the components of an effective current password policy makes use of what is known as a custom dictionary that filters out certain words that are not allowed as passwords in the environment.
Using custom dictionaries, organizations can significantly improve their cybersecurity posture and filter out obvious passwords that provide poor security for user accounts.
When using password dictionaries in your password policy, there are many different approaches to consider. First, let’s consider crafting a custom dictionary for your password policy, including general guidance on how these are created, configured, and how you can easily use custom dictionaries in an active directory environment.
Why customize your dictionary?
Custom dictionaries are born from the need to “think as a hacker thinks.” Compromised credentials are one of the leading causes of malicious data breaches across the board. They are also one of the most expensive to organizations. IBM’s Cost of a Data Breach Report 2020, compromised credentials increased the average total cost of a breach by nearly $1 million to $4.77 million.
Hackers often use credential-based attacks to compromise weak passwords, passwords that have been previously breached, common passwords used in a specific business sector, or common spelling transformations.
Unfortunately, all of us tend to use passwords that we can easily remember. In addition, end-users often add common numbers or symbol patterns to the beginning or end of passwords to get around password complexity requirements.
Both human nature and the technology tools available allow easily cracking or guessing weak, standard, or expected passwords. While attackers have access to large databases of breached and otherwise common or weak passwords, the “good guys” can implement a password file in a good way – the custom dictionary.
The custom password dictionary works in favor of securing the passwords in your environment.
When implemented, the custom dictionary provides a means to filter the chosen password or end-users in such a way as to disallow passwords or variations of the passwords contained in the custom dictionary.
So, aren’t all passwords that meet the Active Directory Password Policy requirements secure? Not exactly.
While password policy requirements defined by Active Directory Password Policy are a good starting point, they leave much to be desired when considering the cracking and other password tools that cybercriminals are using today.
As an example, a password policy may require that an end-user meet the following requirements:
- Minimum of 8 characters
- Password must meet complexity requirements (Must contain uppercase, lowercase, numbers, and non-alphabetic characters such as symbols)
 |
| A password policy defined in Active Directory Domain Services |
Using the native Active Directory Password Policy settings above, a user could potentially set passwords such as:
- P@$$w0rd123
- MybusinessName123!
- Letmein1$
The above passwords meet all the criteria defined as part of the length and complexity requirements.
However, they are weak and easily guess due to different reasons. As the above examples show, these could be known variants of common words such as “Password,” related to your specific business name or industry, or a common phrase contained in a cracked password database such as “Letmein1$.”