Passwordstate uses a number of approaches to prevent users from selecting easy to guess words for their Password. It does this by referencing a list of words that you want to prohibit from being used. The options, for where to reference the list of words you want blocked from being used, is Located under Administration->Bad Passwords.
From here you can,
- Select the approach for referencing a Bad Passwords Database. This can be based on either a Custom Database, where you populate the Bad Passwords, or by referencing a list of known bad passwords by using the Have I Been Pwned API. You can even select an option for using Both if you are you are running Passwordstate V9 Build 9000 or above.
- You can Add, Import and Export your Custom Database containing both the default Bad Passwords that ship from Click Studios as well as any words that you have added to it.
Before we get into the main body of this blog article, we must mention the https://haveibeenpwned.com/ website, and the API that Click Studios references, is courtesy of Troy Hunt and the excellent work he’s done in providing details on credentials caught up in data breaches. He provides this information as a free resource for everybody.
Include Words from Your Corporate Dictionary
A corporate dictionary, sometimes referred to as a corporate glossary, contains words, terms and their meanings. They are typically used to assist employees in being able to speak the same business language. For example, the Oil and Gas industry uses certain words to name and describe geology, products, processes, outputs etc. that relates to that industry. The Corporate Dictionary is available as a resource that can be referenced to ensure that employees, colleagues and even industry partners can accurately understand what is being discussed.
Unfortunately, these resources are sometimes referenced as a source of passwords. As an example, people outside of the Oil and Gas or Legal industries may rarely come across a word such as sequestration. Excellent, I should use that as my password! Nuh-uh! Those cybercriminals that are targeting your organization will already have done some easy preparation and likely downloaded a list of Oil and Gas terms for use in a Brute Force Dictionary Attack. You could send out an email and ask all employees not to use the words in the corporate dictionary – but you and I both know that doesn’t work!
So… let’s stop those words from being used as passwords by adding them in to the Bad Passwords Custom Database. You could add each word individually by clicking on Add, located underneath the Custom Database display grid. This will open the Add New Bad Password screen allowing you to add a word and then click Save,
Alternatively, you can click on Import, again located beneath the Custom Database display grid. This will open the Import Bad Passwords screen,
From here simply click on Generate CSV Template. This will create and download a simple template to your computer. As shown in the image above, the CSV File Format includes one Field with a heading of BadPassword and the size of the field is a maximum of 255 characters.
I’ve opened the template in Microsoft Excel, populated it with a selection of words from an Oil and Gas companies corporate dictionary (using a sample found via a Google Search), and I now have a selection of words I want to prevent being used as Passwords. I’ve then saved this file as badpasswords_OAG.csv,
Now, all I need to do is click on the Select button, pick the file using File Explorer and then click on Submit as per the image below,
This will import the contents of the CSV file and add those records to the Custom Bad Passwords database. The Import Process will, as a confirmation, show the Import Successful screen and the number of records that were imported. Click Continue to return to the Bad Passwords Screen,
Confirmation
Now, back on the Bad Passwords screen you can see confirmation in the image below that the required words have been loaded and will be prohibited from being used as passwords.
And…One Last Fine Tune
You can also prevent those words in the Custom Database from being used as part of a Password. To do this you’ll need to navigate to Administration->System Settings->miscellaneous and select Yes for Use regular expressions when matching ’Bad Passwords’. As an example, this will ensure that users can’t fool the system by trying a known bad password with ‘01’ appended to it.
By adding in words from your organization’s Corporate Dictionary you strengthen your Password policies and remove yet another potential attack vector through Brute Force Dictionary Attacks consisting of easy to guess ‘bad passwords’.
If you’d like to share your feedback please send it through to support@clickstudios.com.au