Why password blacklisting is so important, and how to do it in Active Directory

Passwords are still the most popular authentication method used to grant users access to critical business resources. According to the 2017 State of Authentication Report, more than half of US companies use only passwords to protect their intellectual property and financial information. This is problematic because many experts no longer consider passwords a secure form of authentication. It’s not that passwords are inherently bad, but many people tend to be really bad at using them.

With the number of websites and applications users visit on a daily basis, they often prefer to create common, easy-to-remember passwords. In fact, cybercriminals are relying on you and your employees to follow this bad habit, so they can easily break into your organization’s network using sophisticated attacks such as dictionary attacks.

What is a dictionary attack?

In a dictionary attack, cybercriminals try to obtain passwords using a dictionary file composed of a huge list of words, including common dictionary words (e.g., password), passwords with character substitutions (e.g., p@ssw0rd), and leaked passwords from data breaches. With the increase in password leaks, attackers now have an arsenal of compromised passwords to effectively execute dictionary attacks.

Is Active Directory’s domain password policy enough?

Considering how important passwords are, you’d expect Active Directory to have a strong mechanism in place to protect them. Unfortunately, that mechanism—the domain password policy settings—is rudimentary at best. Even with password complexity enabled, domain users can still use common, vulnerable passwords. There’s a good chance that, even as you read this, some of your employees are using passwords that are a combination of your company name and the month and year they created the password.

The National Institute of Standards and Technology, in its Digital Identity Guidelines, recommends banning passwords that are known to be commonly-used, expected, or compromised. However, Active Directory doesn’t have a built-in mechanism to accomplish this.

Blacklisting common, vulnerable passwords in Active Directory using ADSelfService Plus

ManageEngine ADSelfService Plus allows you to block users from picking common passwords that contain dictionary words, patterns, part of their username, or old passwords. The password policy enforcer feature in ADSelfService Plus supports advanced password policy settings that are not available in the Active Directory password policy. These settings include a dictionary rule and a pattern checker along with thirteen other settings. By enforcing these settings, you can ensure that users pick strong passwords that attackers can’t crack.

The dictionary rule allows you to import a dictionary containing password lists and leaked passwords and prevents users from picking passwords that match a value in that dictionary. You can also edit the dictionary to include your own list of words that you’d like to restrict.

The pattern checker allows you to restrict users from including common patterns in their passwords such as qwer, asdf, and 12345. You can also edit the pattern list to include patterns like your company name, specific dates, and so on.

There is no set it and forget it rule when it comes to your organization’s password policy. Password attacking techniques are constantly evolving. Based on user behavior and threats, you need to review your password policy regularly and update it as needed. ADSelfService Plus can help you implement strong password policy controls in Active Directory, so you can maintain your desired level of security. The tool is completely free for up to 50 users. Give ADSelfService Plus a try.

Like this article?

Share on Facebook
Share on Twitter
Share on Linkedin
Share on Pinterest
Share on Whatsapp
Share by Email