Preventing common passwords in Active Directory is critical for protecting sensitive employee, user, and customer accounts.
Many employees use weak passwords and are completely unaware of it. They can’t imagine their specific password is a common password that’s being chosen by other people as well.
The organization and the employee both think their chosen password is safe because the employee has met password requirements based on traditional algorithmic password complexity rules.
There isn’t a simple algorithm to identify commonly-used passwords. The commonly chosen passwords can change over time. The best way for organizations to screen for it is to use the lists of common passwords being created by hackers as a tool for defense.
It starts with preventing common dictionary words.
Every English-language word can be found in cracking dictionaries so organizations should prevent employees from using basic dictionary words in isolation. Pairing common words with other words, special characters and numbers can be allowed with appropriate character lengths.
Additionally, organizations should block repetitive characters or sequential characters (for example: aaaaaa, 111111).
Lastly, there are the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, 12345678, qwerty, abc123, password1, iloveyou, etc.)
According to the PCI Security Standards Council (PCI), the most common passwords are “password”, “password1” and “123456. Hackers try easily-guessed passwords because they’re used by half of all people.
These are just a few of the worst passwords that should be blocked.
Industry standards from NIST, PCI, Microsoft, HITRUST, and SANS all recommend auditing and scanning passwords against a commonly used password list.
NIST Password Guidelines, in particular, recommend screening for dictionary and commonly-used passwords specifically in SP 800-63b.
According to NIST Special Publication 800-63B …verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
For years the security industry has been trying to educate employees, yet still haven’t been able to secure this vulnerability.
Many organizations are now choosing to take this burden off their employees and automate password screening to account for normal human limitations and behavior when it comes to passwords.
There are numerous tools on the market that can help organizations prevent the use of these passwords and some tools can automate this process to reduce the burden on the IT team.
Enzoic pairs screening for these typical words with daily exposed password screening, fuzzy password matching, password similarity blocking, root password detection, and custom password dictionary filtering. It helps organizations identify password-related vulnerabilities and it is fully automated.
Go here to learn more about how to prevent the use of weak passwords.