As a follow-up to our recent ISACA Journal article, “NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” we wanted to provide some additional thoughts on the password dictionary concepts. As our article suggests, organizations should place appropriate controls around the establishment and maintenance of the password dictionary. Under the passphrase approach advocated by the latest US National Institute of Standards and Technology (NIST) guidelines, the dictionary becomes the primary tool for enforcing complexity and uniqueness in user authentication credentials. As such, it is integral to ensuring secure access to IT resources.
With respect to initially establishing the password dictionary, it can be difficult to build a comprehensive and highly secure dictionary from scratch. Enterprises should remember:
- Open-source lists of bad and commonly used passwords are publicly available and may provide a sound starting place. Commercial services have spent considerable time and resources researching and compiling password dictionaries and may be worth the investment.
- Implementing a standard dictionary alone is not really enough. It would not include prohibitions specific to the organization and its context. Involve organization leaders and/or interested users in contributing names and terms associated with the organization, its brand image, close affiliations, products, lines of business and people. Be sure to block known (or suspect) compromised credentials and consider using the dictionary to also block use of employee-specific information (such as names and usernames).
It is important to note that a password dictionary should not be considered a “one-shot and done” task. Organizations and the environment they operate in are dynamic, and the password dictionary will become obsolete over time. Organizations should consider the following:
- Regularly refresh the standard dictionary as lists of bad and commonly used passwords evolve. Customized dictionaries of prohibited words and phrases need to be reevaluated, augmented, and updated periodically.
- If a breach occurs (or is suspected), the password dictionary should be quickly updated to prevent the potential use of compromised phrases.
Maintenance of the dictionary should become a routine and continuous process for the organization. Establish an appropriate owner of the dictionary maintenance process (for example, a leader in the IT security or compliance functions), and put controls in place to ensure periodic and ad-hoc maintenance of the dictionary. In highly sensitive applications, consider a periodic independent audit of the dictionary and its use. The organization needs assurance that the effectiveness and robustness of the dictionary does not erode over time.
Read Bachman Fulmer, Melissa Walters and Bill Arnold’s recent Journal article:
“NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk,” ISACA Journal, volume 1, 2019.