Skip to main content

Back to Blog

Blocking Basic Dictionary Words is not Enough

For many organizations, password security comes down to simply implementing blocks on basic dictionary words from being used in the creation of a user’s password. This is not an effective way to secure passwords and may in fact make the creation of a secure password more difficult. There are many ways to improve password security that go beyond blocking dictionary words that are worth organizations implementing to improve their overall security posture.

Let’s look at why simply blocking dictionary words can become problematic.

First, it does nothing to help identify if there are already compromised passwords being used in the organization. Since compromised credentials are the largest factor in leading to a data breach, this is a significant gap in security planning. Second, blocking the use of dictionary words could eliminate the ability for end-users to create strong passphrases rather than simply creating a password. Long, easy to remember passphrases made up of multiple unrelated words have been shown to be more secure than passwords due to the complexity a long-phrase presents and the fact that they are typically easier for end-users to remember, meaning they won’t write it down anywhere or have to reset it frequently because they’ve forgotten it.

Additionally, if you are only blocking dictionary words, you are ignoring another large attack vector that threat actors use, cracking dictionaries. Cracking dictionaries not only include basic dictionary words, but they also include commonly used passwords and variations of those common passwords. On top of that, a cracking dictionary is capable of cracking the hash on a password by using a list of plaintext passwords and their corresponding hash values and using that to generate a particular hash that will match for a given password.

So, if simply blocking dictionary words isn’t enough then what can help with improving password security within an organization?

Enzoic for Active Directory is the answer that many organizations turn to. The tool has the ability to go far beyond simply blocking basic dictionary words and includes capabilities that protect against attacks involving cracking dictionaries as well.

One of the most important abilities the tool provides is being able to check if a password is already compromised when it is created by a user. Given the fact that end-users tend to reuse passwords between personal sites and business logins, it’s highly possible that a password they use on a personal site has been compromised and is now a risk to the organization if it is being used there as well.

Where does Enzoic goes beyond any other organization in the compromised password space?

The Enzoic database is updated multiple times a day with these compromised passwords and monitors user accounts in real-time to see if passwords have become compromised at any point since creation. Most other organizations are only updating these databases a few times a year and not continuously monitoring user accounts. To further increase how effective Enzoic is at identifying compromised passwords, it has the ability to normalize a password. This means that the tool can switch special characters and numbers that have been substituted for letters into regular letters and then check those against the compromise database as well.

Enzoic for Active Directory can also check for commonly used passwords at password creation. Common passwords are typically contained within a cracking dictionary, which ultimately would make it easy for attackers to quickly gain access to a user’s account through a brute force attack. It also has the ability to block specific custom key words. Organizations can use this blacklist to disallow anything that may be associated with their business, such as the business name or a specific product they may create. This is significant because users tend to create passwords that are easy to remember and will incorporate attributes of the business into these passwords. This is something attackers know and rely upon to find easy targets within a company.

Additionally, Enzoic can enforce policies that require any new password that is created to be at least a certain number of characters different from previous passwords to make sure that end-users aren’t just reusing the same password over and over again.

Utilizing all these different features within Enzoic for Active Directory will have benefits across the organization.

  • There will be less end-user friction since combining all these abilities together will mean that a user only needs to reset their password if it is determined to have been compromised since its creation.
  • IT staff will have less work on their hands due to the fact they won’t be assisting with password resets so frequently.

But best of all, implementing all these abilities is one of the quickest ways to ensure the organization as a whole is reducing its risk of a costly and time-consuming data breach.