One of the most successful forms of password breaches occurs when hackers simply guess commonly used passwords. And while organizations often invest in advanced security measures, they sometimes overlook this basic level of protection. 

Creating a custom dictionary can help prevent employees from using passwords that are likely to be guessed. Here’s what your business needs to know about what makes a good password dictionary and how an AI tool like ChatGPT can help you brainstorm potentially vulnerable passwords.

Why users choose weak passwords

A user doesn’t set out to select a weak password intentionally — they simply choose a password they can easily remember, often using company names, dates, or simple phrases.

Attackers take advantage of this by launching dictionary attacks, pairing automated tools with word lists to quickly test thousands of password variations.

What makes an effective password dictionary

A password dictionary blocks users from selecting known weak passwords. It contains:

• Standard weak terms like "admin123" or "welcome"
• Your organization's name and product names
• Terms specific to your industry
• Passwords exposed in data breaches
• Common variations of these words

Using AI to create your dictionary

Want some help creating your custom dictionary? Consider using ChatGPT or similar AI tools to speed up the process.

Here’s how to make it happen, including sample prompts:

Get known weak passwords

Ask the AI to list widely used password databases like HaveIBeenPwned and DeHashed. These databases show which passwords attackers already know and target.

Sample prompt: Can you please give me a list of databases that collect passwords that are known to be breached?

Add company-specific terms

The AI needs specific details about your organization to generate relevant password patterns. Here's how to structure your request:

Sample prompt: I want to create a custom dictionary to help prevent employees from using easily guessed passwords. Our company, ACME Corporation, is based in Dover, Delaware. Our main products are the ACME app, the ACME widget, and the ACME platform. Can you please create a list of weak passwords our employees may be using?

The AI will analyze different categories, including:

• Company name and variations, including common misspellings and abbreviations your employees might use. If your company is "Acme Business Solutions," include "ABS," "acmebiz," and similar variations.  
• Product names, including internal codenames and development versions that employees might know. Remember to include both current and discontinued products.
• Office locations, including street and city names, building names, and even local landmarks that employees might reference.
• Internal project names, both current and historical, as employees often use these in passwords because they're memorable and seem unique.
• Industry terms, including technical jargon, tools, and systems specific to your field. Include both full terms and common abbreviations.
• Internal acronyms used in company communications, project names, or department designations. These feel secure to users but are often predictable.

Generate password variations

After you've added company-specific terms, ask the AI to generate predictable variations users might create. Here's how to get comprehensive results:

Sample prompt: "Using these company terms [list your terms], please generate all common variations that meet basic password requirements. Include number patterns, special characters, capitalizations, and combinations."

The AI will generate variations like:

• Numbers at the end: The AI will show how users might add their birth year or department number. Example AI output: "marketing22, Marketing2024, MKTG2023!"
• Special character substitutions: The AI will replace letters with similar-looking symbols. Example AI output: "M@rket!ng, $ales_team, Hr_D3pt"
• Capital letter patterns: The AI will show common capitalization choices. Example AI output: "MarketingTeam, MKTG_dept, SalesHQ"
• Word combinations: The AI will combine terms in predictable ways. Example AI output: "MarketingSouth, TeamNY22, SalesPro"

Managing your password dictionary

Like other aspects of cybersecurity, managing your password dictionary isn’t a one-time event; it should be an ongoing process. Update your dictionary, adding new company terms whenever you launch products or start projects.

Check your logs for failed password attempts to identify patterns users are trying. And ensure you review your dictionary quarterly to remove outdated terms and add new variations.

Additional password protection

Password dictionaries can enhance your security but can’t single-handedly protect your organization. To reduce your organization’s vulnerabilities, use password dictionaries along with other security measures, including: 

• Real-time breach protection: Monitor for stolen passwords by continuously checking current passwords against new breach databases
• Multi-factor authentication: Require two-factor authentication for all accounts, especially those with administrative access
• Security awareness: Train users in password security, explaining why certain passwords get rejected

Integrating password security tools

For the greatest level of protection, consider using a tool that combines custom dictionaries with breach monitoring.

For example, Specops Password Policy allows you to easily create and import a customized list of banned passwords, then continuously checks your Active Directory against that list and an always-updated list of over four billion breached passwords.

By using a tool like Specops Password policy, your organization can automatically block compromised passwords, helping keep your people, your systems, and your data safe.

Get in touch and we can set you up with a free trial.

Sponsored and written by Specops.