Pricing  Get Quote
 
 

How to blacklist weak Active Directory passwords

What makes a password vulnerable to hackers?

It is human nature to use passwords that are both easy to type and easy to remember. They can be familiar keyboard patterns like 12345 or words like password. Lists of commonly used passwords (called password dictionaries) are easily accessible to hackers and attackers, giving them an edge when it comes to cyberattacks.

To make matters worse, huge lists of compromised accounts and their passwords are available publicly. Since users have a tendency to reuse the same password for several sites, attackers can try to log in to multiple sites using the same credentials.

By combining the knowledge of human nature with data-driven lists of common and compromised passwords, attackers have come up with creative attack strategies like:

  1. Brute-force attacks: A trial-and-error method that applies a very large number of passwords and password combinations against protected resources in the hopes that one combination will be a match for the password. This is a simple but highly effective attack strategy.
  2. Dictionary attacks: Every word in the dictionary is tried against a password-protected resource. This is similar to brute-force attacks except that it only uses words in the dictionary.
  3. Password spraying: A small number of very common passwords are tried against a huge number of protected accounts. This is based on the assumption that at least a few users in the firm would have chosen weak passwords.
  4. Credential stuffing: Compromised accounts and passwords that are leaked from malicious sites are tried against corporate resources in the hopes that those compromised users would have reused the same credentials at work.

What is password blacklisting and how does it help prevent password attacks?

Admins can secure the organization against these attacks through password blacklisting. Password blacklisting involves banning the use of the most commonly used passwords and their variations. Blacklisting compromised and weak passwords can harden organizational security by preventing attackers from uncovering a user's domain password and getting past the initial password login into the Active Directory domain.

Password blacklisting in PowerShell

Windows PowerShell does not offer password blacklisting capabilities.

ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, delivers password blacklisting for Active Directory and enterprise application accounts via its Password Policy Enforcer and integration with Have I Been Pwned?. The former helps impose password policy rules that ban use of dictionary words, palindromes, and patterns, and the latter prevents the use of previously exposed passwords.

Password blacklisting configuration in ADSelfService Plus

1. Configuring the Password Policy Enforcer feature

With ADSelfService Plus, configure a custom password policy via the Password Policy Enforcer feature

  1. Log into the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Self-Service > Password Policy Enforcer.
  3. Enable Enforce Custom Password Policy.
  4. In the Restrict Pattern tab, ban passwords using custom dictionary keyboard sequences, and palindromes.
  5. Click Save.
  6. password-blacklist-powershell-1
    password-blacklist-powershell-2

    2. Integrating ADSelfService Plus with Have I Been Pwned?

    1. Go to Admin > Product Settings > Integration Settings > Have I been Pwned?.
    2. Select Enable HaveIbeenPwned Integration.
    3. password-blacklist-powershell-3
    Benefits of ADSelfService Plus

    Apart from being easy to configure, ADSelfService Plus has several advantages when compared to PowerShell scripts.

    • Advanced password policy settings:

      Admins can create custom password policies from the advanced password policy controls that blacklist weak passwords, common keyboard patterns, palindromes, etc.

    • Uploading password dictionaries:

      Admins can upload lists of common and easily breached passwords (called password dictionaries) to prevent the passwords on that list from being used.

    • Integration with Have I Been Pwned?:

      Have I Been Pwned? is a service that informs users whether the passwords they use have been compromised during past data breaches. It also lets them know about any old, weak, or duplicate passwords that they might have used.

    • Universal enforcement:

      Admins can enforce the password policies and Have I Been Pwned? integration during self-service password reset and password change for both Active Directory and cloud applications. Native password changes such as password changes via Ctrl+Alt+Del and password resets from the ADUC portal can also be governed.

    • Improves IT security:

      Provides advanced multi-factor authentication techniques including biometrics and YubiKey for securing cloud apps.

    • Improves the user experience:

      Users can perform self-service password reset from multiple access points such as their login screens. mobile devices or a secure web portal.

    Give hackers a run for their money with improved password security.

      Get 30-day free trial.

Related Resources

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Email Download Link