2

The password filter does a simple check: Does the new password contain an entry in the list of forbidden words?

In practice, the list is a series of forbidden words and known passwords.

I think it stands to reason that the list should be public. We don't want people using these words in their passwords, so rather than have them struggle, they can at least have the option of not having to guess what's allowed and what's not.

I'm asking this question here because I feel like this concept might be met with responses that are different from my own. e.g. "Don't give out the secret list!"

And, anyway, the list is in the NETLOGON share so anyone can read it if they know where to look. My point is about whether to make the availability obvious or not.

Improve this question

2 Answers 2

Reset to default
3

The biggest risk that comes to mind immediately is that this makes a dictionary attack somewhat easier - rather than try every conceivable combination, a bad guy has certain words that they know not to try. In theory, this would speed up that kind of attack.

That said, it's still a pretty large solution set so we're not talking about a huge time savings. And if it's on your network, they'd need to already be inside to get the list.

On the flip side, this eliminates the passwords found here, making guessing known weak passwords useless. Plus, you make available the list of unallowed passwords, reducing user frustration (provided they remember to find it...) Maybe some of the other folks here will disagree, but I say go ahead and make it available. It's still a large universe of potential passwords, the passwords in use will be stronger, and your users have the ability to find the list of banned words.

Improve this answer
1

It’s more beneficial to post it and exclude these from possible passwords. If the forbidden ones are options, hackers will always try those first. If they are not options, they have to guess where to start. Post the list.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.