Password blacklisting, also known as dictionary checking, is a very important security measure to have in place for passwords. Dictionary checking prevents the use of common passwords like Password, Welcome, and Baseball. We all know these passwords and insecure and ineffective to secure a computer. Therefore, why are we allowing these passwords on our network?
With the nFront Password Filter, two million words can be scanned against an end user’s password in less than a second to ensure that their password does not contain a word in the dictionary file. Our dictionary file includes 27,000 words. However, this is 100% customizable to the company. The dictionary check feature looks for a case-insensitive exact match (instead of a substring match) between the proposed new password and each entry in the dictionary. The question is, what do I need to include in my dictionary file to be excluded from end-user passwords?
We receive the common question on a weekly basis: “If I want to have dictionary checking and also allow users to create passphrases, will they be allowed to have the passwords likeI hate stupid passwords? The answer is yes! You can require dictionary checking to be disabled if a password is greater than a specific character limit. I would recommend 15 characters since Rainbow Tables typically do not crack passwords that are 15 characters or more (read why here).
We understand, 27,000 words can be overwhelming to end-users and you might be afraid of the end-user push back due to the new password policy. That is why I want to help you create a custom dictionary file that suits your company’s needs, while still keeping your network secure. Please keep in mind that your dictionary file is only as strong as you make it. If you do not include words like Password, then your users will still be able to use it.
Here is what I suggest to customers when they are creating a custom password dictionary after they purchase the nFront Password Filter:
- Include lists from recent breaches. Many times, passwords lists are released to the media. Use this to your advantage!
- Include the Top 100 worst passwords. A new list is released at least once a year.
- Vehicle Manufacturers and models (Ford, Toyota, Explorer, Prius, etc.)
- Celebrity names (Donald Trump, Kardashian, Beyonce, etc.)
- Animal Names (dog, cat, rabbit, monkey, etc.)
- If you are inside the United States, I would suggest the following:
- All of the states in the US
- All of the cities in the US
- All major sports teams
- If you are outside of the United Sates, I would suggest the following:
- All of the countries on your continent
- All of the cities on your continent
- All major sports teams
- Include the Top 100 list of most popular names. This will be specific to where your company resides. For example, Samantha is a common name is the US, while Aarav is a common name in India.
- Include everything about your company – the name, specific industry terms, location, words in the slogan, etc.
I hope this will help guide you in creating a hack-proof dictionary file!