Preventing Common Passwords in Active Directory
Preventing common passwords in Active Directory is critical for protecting sensitive employee accounts.
Why Should Organizations Screen for Commonly-Used Passwords?
Many employees use weak, common passwords and are completely unaware of it. They think their chosen password is safe because they have met password requirements based on traditional algorithmic password complexity rules.
Common Password Dictionary Words
It starts with preventing common dictionary words. Every English-language word can be found in cracking dictionaries so organizations should prevent employees from using basic dictionary words in isolation. Pairing common words with other words, special characters and numbers can be allowed with appropriate character lengths.
Sample Common Passwords
Additionally, organizations should block repetitive characters or sequential characters (for example: aaaaaa, 111111). Lastly, there are the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, 12345678, qwerty, abc123, password1, iloveyou, etc.)
Common passwords according to NIST Special Publication 800-63B:
...verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.