Skip to main content

Back to Blog

Blocking Expected and Similar Passwords in Active Directory

Most employees will create or reuse passwords that are expected or similar to previous passwords. This can be expected passwords in the form of a root password that gets changed by just a few characters or even just capitalization. Once again, attackers know that this is a common practice on any system with users logging in, so organizations also need to prevent these expected and similar passwords in their various forms.

Organizations should also deploy fuzzy password matching against the entries in their password blacklist. The reason why fuzzy matching is important is if your password is recently exposed online from another site, an attacker will choose to try patterns of that password. They will be highly successful in that endeavor because most people use patterns when selecting their passwords. Fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as common substitutions such as leetspeak and password reversing.

For example: If your exposed password is “HolidayVacation1”, attackers will usually try variations such as:
“HolidayVacationi” Leetspeak (substituting numbers for letters like leet= 1337)
“1noitacaVyadiloH” reversed password
“holidayvacation1” a case-sensitive change

Another common employee password behavior that attackers exploit is using one root password and then use various iterations of it. This practice makes it easier for the employee to remember their password, but unfortunately, it also makes it easy for bad actors to figure out.

With this in mind, it is important for organizations to implement password similarity blocking. With password similarity blocking, new passwords are screened by similarity to a former password using Damerau-Levenshtein distance.

For example: If your compromised password is “HolidayVacation2018” attackers usually try iterations like:
“HolidayVacation2019” one-character change
“HolidayVacation2020” two-character change
“HolidayVacation18” two-digit change

The systems admin needs to be able to determine the amount of difference (called distance) that will be required between the old password and the new password. The minimum number of differences should be at least 1, but some organizations require differences up to 8.

Organizations have varying opinions on how many characters should be different, including transpositions, between old and new passwords. They need customization for this password policy which would enable them to adjust the differences to the right level for their business.

To learn more about keeping passwords safe in Active Directory, please visit: https://www.enzoic.com/password-policy-enforcement-nist-password-guidelines/