Full Report
Creating a custom password-exclusion list can help prevent employees from using passwords that are likely to be guessed. Learn from Specops Software on using AI to generate password dictionary for securing your organization's credentials. [...]
Analysis Summary
# Best Practices: Custom Password Exclusion Dictionary Implementation
## Overview
These practices address the vulnerability gaps created by users selecting easily guessable passwords, which attackers exploit through dictionary and brute-force attacks. The core recommendation is creating and maintaining a custom password exclusion dictionary tailored to organizational specifics, combined with layered security controls.
## Key Recommendations
### Immediate Actions
1. **Identify Known Weak Passwords:** Immediately gather lists of widely used, standard weak password terms (e.g., "admin123", "welcome") from reputable public breach databases like HaveIBeenPwned or DeHashed.
2. **Integrate Foundational Blocks:** Implement the identified standard weak terms into your existing password rejection policy immediately.
### Short-term Improvements (1-3 months)
1. **Gather Organizational Terms:** Collect specific data points related to the organization needed to build the custom dictionary: company names (including abbreviations/misspellings), product names (current/discontinued), office locations, current/historical internal project names, and internal acronyms.
2. **Generate & Enforce Custom Dictionary:** Utilize AI tools (like ChatGPT) with the collected organizational terms to generate predictable password variations (including numeric patterns, special character substitutions, and capitalization combinations). Import this complete custom list into your password enforcement mechanism to block these known vulnerable strings.
3. **Enable Real-time Breach Protection:** Deploy security tooling to continuously monitor user passwords against actively known compromised credentials lists (breach databases).
### Long-term Strategy (3+ months)
1. **Establish Dictionary Maintenance Program:** Formalize a policy to review and update the custom password dictionary quarterly, ensuring newly launched products, projects, or acquired terms are added, and outdated terms are removed.
2. **Systematically Review Failure Logs:** Regularly analyze failed password attempt logs to identify emerging patterns or new, common strings users are attempting to set, and incorporate these findings back into the exclusion dictionary.
3. **Mandate Multi-Factor Authentication (MFA):** Extend the requirement for MFA across all accounts, prioritizing all administrative access points as a crucial defense layer, even if passwords are complex.
4. **Conduct Ongoing Security Awareness Training:** Train employees on the rationale behind password dictionary enforcement, emphasizing the dangers of using company-specific terms or easily memorable patterns in their credentials.
## Implementation Guidance
### For Small Organizations
- **Leverage Free/Built-in Tools:** Start by exporting AI-generated lists as text files and attempting to integrate them using the capabilities of your existing identity provider or domain controller password filter policies.
- **Focus on MFA First:** Prioritize the immediate rollout of MFA for all remote access and core administrative accounts, as this offers the highest immediate risk reduction against breached credentials.
### For Medium Organizations
- **Adopt Dedicated Policy Tools:** Invest in or implement specialized password policy management software that can easily import large, custom exclusion lists and integrate continuous breach monitoring.
- **Template Generation:** Use AI tools to generate comprehensive initial organizational dictionaries, focusing heavily on product codenames and internal short-form abbreviations.
### For Large Enterprises
- **Automated Integration:** Integrate dictionary management directly into your identity lifecycle management (ILM) pipeline, ensuring new projects or product launches automatically trigger a dictionary update review process.
- **Security Framework Mapping:** Map the custom dictionary implementation directly to relevant security framework controls (e.g., NIST 800-63B Digital Identity Guidelines).
- **Distributed Review:** Establish a governance committee involving HR, Marketing, and IT security to vet potential terms to be added/removed from the exclusion list to ensure comprehensive coverage without blocking legitimate but unique legacy terms.
## Configuration Examples
*Note: Specific technical configuration requires tools; the following outlines the *type* of data generated and used for configuration.*
| Category | Example Term (to Block) | AI-Generated Variation Example |
| :--- | :--- | :--- |
| **Company/Brand** | ACME Corporation | acme!corp, ACMEcorp2024 |
| **Product Name** | ACME Widget V3 | AcmeWdgt3, AWidgetv3 |
| **Location/Office** | Dover Delaware HQ | DoverDE, D_HQ22 |
| **Industry Jargon** | Quantum Encryption | Q_Encrypt, Qrypt0 |
| **Common Substitution** | SalesTeam | $alesT3am, SalesT3M |
| **Internal Acronym** | MKTG Dept | MKTGdept, mktg\_dept1 |
## Compliance Alignment
- **NIST SP 800-63B (Digital Identity Guidelines):** Aligns directly with requirements for verifying that memorized secrets (passwords) do not match known compromised passwords or use predictable patterns.
- **ISO/IEC 27001 (A.9.2.2):** Supports the control for the secure use of passwords by implementing technical restrictions against weak choices.
- **CIS Critical Security Controls (Control 5: Account Management):** Supports hardening credentials by preventing the use of easily guessable or compromised credentials.
## Common Pitfalls to Avoid
- **One-Time Implementation:** Treating dictionary creation as a static task. If you don't update it when new projects or products launch, it rapidly becomes obsolete.
- **Ignoring Variations:** Only blocking the exact company name (e.g., "AcmeCorp") without generating and blocking common variations involving capitalization, common substitutions (`@` for `a`), or trailing numbers.
- **Overly Restrictive Policies:** Creating a dictionary so exhaustive that it blocks legitimate, complex, but memorized passwords, leading to user frustration and potential policy workarounds.
- **Sole Reliance on Dictionary:** Assuming a custom dictionary alone is sufficient. It must be coupled with MFA and continuous breach monitoring.
## Resources
- **AI Brainstorming Tools:** Large Language Models (e.g., ChatGPT) for generating comprehensive variations from initial seed terms.
- **Public Breach Data Sources:** HaveIBeenPwned (for known breached passwords).
- **Identity Security Tooling:** Specialized software capable of importing custom exclusion lists and integrating real-time breach checking against Active Directory or similar identity stores.