Warning: Creating default object from empty value in /nfs/c09/h03/mnt/132495/domains/blog.nfrontsecurity.com/html/wp-content/themes/headlines/functions/admin-hooks.php on line 160

How To Blacklist Passwords For Windows Active Directory

Blacklisting passwords for Windows Active Directory is not a new topic to the IT Security world. In more recent years, the idea of blacklisting certain words in passwords has become increasingly more important. In light of new data breaches and yearly reports of the “Top 100 Worst Passwords,” we can see that words like love, welcome, incorrect, dog, cat, summer, and even password have always been top of the list. In this post, you will learn how to blacklist passwords for Windows Active Directory.


At nFront Security, we refer to blacklisting passwords for Windows Active Directory  as dictionary checking. We get the question all the time – “Is there a way to block certain words from passwords?” The answer is yes! With dictionary checking for Windows Active Directory, a user does not have a thousand page dictionary in front of them and are flipping page after page to see if their password is in the dictionary. Instead, the IT Administrator for a company creates a customized dictionary file where any word in the file will be banned from user passwords. A dictionary file is a list of common passwords that are used by the general public. These lists can range from a few hundred common dictionary words to a few thousand of common dictionary words. Our dictionary file comes with 27,000 words and phrases that are banned from passwords. However, our file is 100% customizable. We believe that our customers should be able to modify and create a dictionary file that suits their needs. One size doesn’t fit all for Windows Active Directory password blacklisting.

The reason behind banning common dictionary words in passwords is due to the fact that hackers can break into company networks by dictionary attacks. This is where a hacker will systematically enter in every dictionary word as a password to hack an account. Once one account is hacked, the hacker has an open door into a company’s network. The hacker can take the information they want and leave, or they can fly under the radar for months gathering information until the employee changes their password or the hacker has been detected. According to TechTarget, “Dictionary attacks work because many computer users and businesses insist on using ordinary words as passwords. Dictionary attacks are rarely successful against systems that employ multiple-word phrases, and unsuccessful against systems that employ random combinations of uppercase and lowercase letters mixed up with numerals.”


To stop users from selecting common passwords, it is recommended to implement a password dictionary file within your password filter system. Password dictionary files should include common words such as:

  • Your company name
  • Common industry terms
  • Local sports teams
  • Local city names
  • Employee names
  • Popular celebrity names
  • Common pet names
  • The word “password”

In addition to the above-mentioned points, it is also important to compile a list of common passwords from recent data breaches. For example, with the recent Dropbox, MySpace, and LinkedIn breaches, there have been released lists of common passwords. It would be a good idea to combine those words as well as the most recent year’s “Top 100 Worst Passwords” list to a dictionary file. Custom password blacklisting is a very important for company networks.

Humans are creatures of habit. We tend to select passwords that are very easy to remember – like “Password1”. This specific password consistently makes the Top 100 list year after year. Why? Because according to Microsoft’s Password Complexity, it is a strong password. It meets 3 out of the 4 character sets. However, if dictionary checking was enabled this passwords would be banned due to the fact that it contained the dictionary word “passwords.”

There are many companies who offer real time password blacklisting software for Windows Active Directory and they will manage the dictionary file for you. This sounds like a great idea since it is less work for you to manage. However, I will leave you with this – how good is a password blacklisting file when you are not able to completely customize the entire file to your specifications? And even if they let you customize 150 words or so, is that enough to cover your company name, industry terms, employee names, local sports teams, and words of the like? I don’t think so. Like I said earlier, one size doesn’t fit all. Password blacklisting for Windows Active Directory is extremely important for the health of your network. I hope you were able to learn how to blacklist passwords for Microsoft Windows Active Directory.


Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.