Skip to main content

Back to Blog

Preventing Common Passwords in Active Directory

Preventing common passwords in Active Directory is critical for protecting sensitive employee, user, and customer accounts.

Why Should Organizations Screen for Regularly-Used Passwords?

Many employees use weak passwords and are completely unaware of it. They can’t imagine their specific password is a common password that’s being chosen by other people as well.

The organization and the employee both think their chosen password is safe because the employee has met password requirements based on traditional algorithmic password complexity rules.

How to Identify Commonly-Used Passwords

There isn’t a simple algorithm to identify common-used passwords.  The commonly chosen passwords can change over time. The best way for organizations to screen for commonly is to use the lists of common passwords being created by hackers as a tool for defense.

Passwords & Dictionary Words

It starts with preventing common dictionary words.

Every English-language word can be found in cracking dictionaries so organizations should prevent employees from using basic dictionary words in isolation. Pairing common words with other words, special characters and numbers can be allowed with appropriate character lengths.

Samples of Regularly Used Passwords

Additionally, organizations should block repetitive characters or sequential characters (for example: aaaaaa, 111111).

Lastly, there are the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, 12345678, qwerty, abc123, password1, iloveyou, etc.)

According to the PCI Security Standards Council (PCI), the most common passwords are “password”, “password1” and “123456.  Hackers try easily-guessed passwords because they’re used by half of all people.

These are just a few of the worst passwords that should be blocked.

Industry Leaders Recommend Filtering Against Password Blacklists

Industry standards from NIST, PCI, Microsoft, HITRUST and SANS all recommend auditing and scanning passwords against a commonly used password list.

NIST Password Guidelines, in particular, recommend screening for dictionary and commonly-used passwords specifically in SP 800-63b. 

According to NIST Special Publication 800-63B …verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

  • Passwords obtained from previous breach corpuses.
  • Dictionary words.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.

How to Handle Common Passwords in Active Directory

For years the security industry has been trying to educate employees, yet still haven’t been able to secure this vulnerability.

Many organizations are now choosing to take this burden off their employees and automating password screening to account for normal human limitations and behavior when it comes to passwords.

There are numerous tools on the market that can help organizations prevent the use of these passwords and some tools can automate this process to reduce the burden on the IT team.

Enzoic pairs screening for these typical words with daily exposed password screening, fuzzy password matching, password similarity blocking, root password detection, and custom password dictionary filtering.  It helps organizations identify password-related vulnerabilities and it is fully automated.  

To learn more about how to prevent the use of weak passwords, please visit: