Preventing Common Passwords in Active Directory


Preventing common passwords in Active Directory is critical for protecting sensitive employee accounts.

Why Should Organizations Screen for Commonly-Used Passwords?

Many employees use weak, common passwords and are completely unaware of it. They think their chosen password is safe because they have met password requirements based on traditional algorithmic password complexity rules.


Common Password Dictionary Words

It starts with preventing common dictionary words. Every English-language word can be found in cracking dictionaries so organizations should prevent employees from using basic dictionary words in isolation. Pairing common words with other words, special characters and numbers can be allowed with appropriate character lengths.


Sample Common Passwords

Additionally, organizations should block repetitive characters or sequential characters (for example: aaaaaa, 111111). Lastly, there are the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, 12345678, qwerty, abc123, password1, iloveyou, etc.)



Common passwords according to NIST Special Publication 800-63B:

...verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

  • Passwords obtained from previous breach corpuses.
  • Dictionary words.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.



Image

For years the security industry has been trying to educate employees, yet still haven’t been able to secure this vulnerability.


Many organizations are now choosing to take this burden off their employees. By automating common password screening, they can account for normal human limitations and behavior when it comes to common passwords.