How To Create A Hack-Proof Dictionary Blacklist

How To Create A Hack-Proof Dictionary Blacklist

Password blacklisting, dictionary blacklisting, aka dictionary checking, is a very important security measure to have in place for passwords. Dictionary checking prevents the use of common passwords like PasswordWelcome, Summer, and Baseball. We all know these passwords are insecure and ineffective to secure a computer. Therefore, why are we allowing these passwords on our network?

With the nFront Password Filter, two million words can be scanned against an end user’s password in less than a second to ensure that their password does not contain a word in the dictionary file. Our dictionary file includes 6,000 words. However, it is 100% customizable. The dictionary check feature scans the dictionary file to ensure each dictionary word (or phrase) is not a part of the user’s new password. The question is, what do I need to include in my dictionary file to be excluded from end-user passwords?

What about passphrases? We receive this common question weekly: If I want to have dictionary checking and also allow users to create passphrases, will they be allowed to have a password like “I hate stupid passwords”? The answer is yes! You can bypass dictionary checking if a password is longer than a specific character limit. I would recommend a minimum of 15 characters since Rainbow Tables typically do not crack easily passwords that are 15 characters or more.

We understand, 6,000 words can be overwhelming to end-users, and you might be afraid of the end-user pushback due to the new password policy. That is why I want to help you create a custom dictionary file that suits your company’s needs, while still keeping your network secure. Please keep in mind that your dictionary file is only as strong as you make it. If you do not include words like “password”, then your users will still be able to use it.

The dictionary file included with the nFront Password Filter product contains the following entries:

  • Include the top 100 worst passwords
  • Keyboard patterns (qwerty, asdf, 123)
  • Years 1900 – 2100
  • Vehicle Manufacturers and models (Ford, Toyota, Explorer, Prius, etc.)
  • World countries
  • US States
  • US State Capitals
  • Days of the week, months
  • Seasons (Winter, Spring, etc.)
  • Sports teams across major sports like football, baseball, basketball, hockey, etc.
  • Common given and surnames (because most people like to use the name of a spouse, child, grandchild, etc. and not just their name or username)

You will need to further add to the given dictionary. You want to include things like:

  • Product and brand names within your company or organization
  • Cities where you have offices if not already in our dictionary
  • Any specific terms to your industry and markets
  • “localized” knowledge. This may be the nearby favorite restaurants where employees like to eat, the local high school mascot, the name of the minor league baseball team, etc.
  • You may also want to consider adding other entries like celebrity names or names of characters in popular TV shows, movies, etc.
  • You can also add passphrases. Surprisingly, many common phrases from movie quotes, nursery rhymes, etc. are part of the lists of breached passwords found on the internet.

I hope this will help guide you in creating a hack-proof dictionary file!

Share this post