How-To: Disallowing specific passwords - Password Blacklist


In this guide, we’ll walk you through the steps to strengthen your security measures by implementing a password blacklist. Discover how to restrict the usage of specific passwords, bolstering your system’s defenses against potential security threats.

Creating a Password Policy

1. Open the “Domain” folder in UMC and navigate to the “Policies” module.
2. Click “Add” above the policy list.
3. In the “Add New Policy” window, select the type “Policy: Password.” The container should already be pre-selected.
4. Give the new policy a name of your choice and configure password length, expiration interval, and history length as needed.
5. Important: Check the box for “Password Quality Check” and save the policy.
6. The policy is now created and needs to be attached. 6.1. For individual users, go to the UMC module “Users” → Select user → “Policies” → “Policy: Password” → Choose your policy under “Policy Configuration” and save. 6.2. To attach the policy to an OU, open the UMC module “LDAP Directory” → Right-click on the OU in the LDAP tree → Choose “Edit” → “Policies” → “Policy: Password” → Choose your policy under “Policy Configuration” and save.
7. Restart the Policy service to apply the changes:

systemctl restart univention-directory-policy

Creating a Blacklist

1. Switch to the “/usr/share/dict” directory in the terminal.
2. Create a file with a name of your choice, e.g., “blacklist.”
3. Enter each word or string you want to exclude during password changes into this file (one word/string per line).
4. Execute the following command to apply the changes:

/usr/sbin/update-cracklib -a -r /etc/cracklib/cracklib.conf

Checking the Blacklist

After completing these steps, if a user who has received the policy, attempts to change their password, the following error message will appear if the newly chosen password is in the “blacklist” file:

Error: Password change
Password change failed. The password is based on a dictionary entry.

1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.