Block Common Passwords

TL;DR

You can prevent users from choosing weak or commonly used passwords by creating a list of banned words and configuring your system to reject them during password creation/reset. This guide explains how to do this on Linux systems using the pam_cracklib module, and provides general advice for other platforms.

How to Ban Passwords

1. Understand the Problem: Weak passwords are a major cyber security risk. Attackers often try common words, names, dates, or simple patterns. Banning these makes it harder for them.
2. Linux Systems (pam_cracklib): Most Linux distributions use PAM (Pluggable Authentication Modules) to manage authentication. pam_cracklib is a module that checks passwords against various criteria, including a banned words list.
3. Edit the Configuration File: You’ll need root access to edit the PAM configuration file. The location varies by distribution, but it’s often in /etc/pam.d/common-password or similar. Use a text editor like nano or vim.

   sudo nano /etc/pam.d/common-password

4. Add the cracklib Line: Find the line that starts with password requisite pam_pwquality.so and add a line below it:

   password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 reject_username=yes ban_words=/etc/pam.d/banned-passwords

   • retry=3: The number of times a user can try before being rejected.
   • minlen=8: Minimum password length (adjust as needed).
   • dcredit=-1: Requires at least one digit.
   • ucredit=-1: Requires at least one uppercase letter.
   • ocredit=-1: Requires at least one special character.
   • lcredit=-1: Requires at least one lowercase letter.
   • reject_username=yes: Prevents using the username in the password.
   • ban_words=/etc/pam.d/banned-passwords: Specifies the file containing the list of banned words.
5. Create the Banned Passwords File: Create a new file at /etc/pam.d/banned-passwords.

   sudo nano /etc/pam.d/banned-passwords

6. Add Banned Words to the File: Add one banned word per line in the banned-passwords file. Examples:

   password
   123456
   qwerty
   admin
   username

7. Save and Close Files: Save both the PAM configuration file and the banned passwords file.
8. Test the Configuration: Try creating a new user or changing an existing password to test if the banned words are being rejected.

   passwd

9. Other Platforms (General Advice):
   • Active Directory/Azure AD: Use Password Policies and potentially custom password filters.
   • Web Applications: Implement password validation rules in your application code, using a banned words list or regular expressions.
   • Databases: Some databases have built-in password complexity requirements; configure these appropriately.

Important Considerations

• Regular Updates: Keep your banned word list updated with new common passwords and data breach leaks.
• False Positives: Be careful not to ban words that are legitimate parts of phrases or names, as this can frustrate users.
• Complexity Requirements: Banning weak passwords is just one part of a strong cyber security strategy. Enforce minimum length, character variety (uppercase, lowercase, numbers, symbols), and regular password changes.