Passwords: The Never-Ending Battle Between Usability and Security
In the ongoing struggle to balance user convenience with robust security, passwords remain a contentious issue. While measures to enhance authentication often introduce complexity, users tend to gravitate towards familiar patterns, compromising the unpredictability of their credentials.
This behavioral pattern has not gone unnoticed by attackers, who exploit it to their advantage. Instead of relying on AI or complex guessing algorithms, many credential attacks begin with a simpler approach: harvesting context-specific language and converting it into highly targeted password guesses.
But here's where it gets controversial...
Tools like Custom Word List generators (CeWL) streamline this process, making it efficient and repeatable without adding technical complexity. This significantly boosts success rates while reducing noise and detection risks.
NIST SP 800-63B explicitly advises against using context-specific words in passwords, including service names, usernames, and related derivatives. However, implementing this guidance requires an understanding of how attackers assemble and operationalize these wordlists in real-world attacks.
This distinction is crucial because many defensive strategies still assume that password guessing relies on broad, generic datasets. In reality, attackers are employing more sophisticated methods, targeting specific contexts to increase their chances of success.
So, where do these targeted wordlists come from?
CeWL, an open-source web crawler, extracts words from websites and compiles them into structured lists. It's included in popular penetration testing distributions like Kali Linux and Parrot OS, making it accessible to both attackers and defenders.
Attackers use CeWL to crawl an organization's public-facing digital presence, collecting terminology that reflects its external communication. This includes company service descriptions, internal phrasing in documentation, and industry-specific language not found in generic password dictionaries.
The effectiveness of this approach lies in its relevance. The resulting wordlists mirror the vocabulary users encounter daily, making them more likely to influence password construction.
From public content to password guesses...
CeWL can be configured to control crawl depth and minimum word length, allowing attackers to exclude low-value results. The output forms realistic password candidates through predictable transformations.
For instance, in a healthcare organization like a hospital, public-facing content may expose terms like the organization's name, its location, or the services and treatments it offers. These terms are rarely used as passwords in isolation but serve as a foundational candidate set that attackers systematically modify using common patterns, such as numeric suffixes, capitalization, or appended symbols, to generate plausible password guesses.
Once attackers obtain password hashes, often through third-party breaches or infostealer infections, tools like Hashcat apply these mutation rules at scale, generating and testing millions of targeted candidates against compromised data.
The same wordlists can also be used against live authentication services, where attackers may employ throttling, timing, or low-and-slow guessing techniques to reduce detection or account lockout risks.
Why password complexity rules fall short...
A key challenge is that many passwords generated using this method satisfy standard complexity requirements. Specops analysis of over six billion compromised passwords suggests that organizations struggle with this distinction, even with awareness and training programs in place.
When passwords are constructed from familiar organizational language, adding length or character variety does little to offset the reduced uncertainty introduced by highly contextual base terms. A password like HospitalName123! illustrates this problem. While it meets default Active Directory complexity requirements, it remains a weak choice within a healthcare context.
CeWL-derived wordlists can easily identify organization names and abbreviations from public-facing content, allowing attackers to systematically modify them into plausible password variants with minimal effort.
Defending against targeted wordlist attacks...
To reduce exposure to wordlist-based attacks, controls must focus on password construction rather than complexity alone.
Block context-derived and known-compromised passwords:
Prevent users from creating passwords based on organization-specific language, such as company and product names, internal project terms, industry vocabulary, and common attacker substitutions. Also, block credentials that have already appeared in data breaches.
Specops Password Policy can enforce custom exclusion dictionaries and continuously scan Active Directory against over 5.4 billion known-compromised passwords, disrupting CeWL-style wordlist attacks and reducing the reuse of exposed credentials.
Enforce minimum length and complexity:
Require at least 15-character passphrases, as length and unpredictability offer the best protection against brute-force techniques. Passphrases are an effective way to encourage users to create strong, long passwords.
Enable multi-factor authentication (MFA):
If you haven't already, implementing MFA is a crucial step. Consider a simple yet effective solution like Specops Secure Access, which can protect Windows Logon, VPNs, and RDP connections.
While MFA doesn't prevent password compromise, it significantly limits the impact by preventing passwords from being used as a standalone authentication factor.
Align password policy with real-world attacks:
Treat passwords as an active security control rather than a static compliance requirement. Enforcing policies that prevent context-derived, previously exposed, or easily inferred passwords reduces the value attackers gain from targeted wordlists. MFA provides an essential second line of defense when credentials are compromised.
Together, these controls form a more resilient authentication strategy that reflects the reality of password attacks.
Speak with Specops experts to learn how their solutions can enhance password security without adding unnecessary complexity for users.
