Anonymous_User Absent Member.
Absent Member.
916 views

Question about word lists


This may be a dumb question, but I didn't see it addressed in the
documentation. I want to upload my own list of disallowed passwords to
SSPR. Will this add to the built-in word list, or will it replace it?


Thanks

0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Question about word lists

I THOUGHT it replaced it, but maybe I've been extracting the old word
list, adding my own file with words in it, and then putting it back for no
reason.

It should be easy to test at least. Open an existing wordlist, upload a
tiny wordlist of your own, and see if the old worlist's words are accepted
(assuming other complexity requirements are met).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Question about word lists

On 10/26/2017 14:34, ab wrote:
> I THOUGHT it replaced it, but maybe I've been extracting the old word
> list, adding my own file with words in it, and then putting it back for no
> reason.
>
> It should be easy to test at least. Open an existing wordlist, upload a
> tiny wordlist of your own, and see if the old worlist's words are accepted
> (assuming other complexity requirements are met).
>


I may have answered my own question. When I click on "LocalDB", it says
that one of the things stored in the LocalDB is the *custom* wordlist
(emphasis mine). So it seems to suggest that the custom wordlist
augments the built-in one.

I'd like to be sure, but I'm having trouble getting my custom wordlist
to upload. I've experimented with different URL formats.

file:///C:/TEMP/wordlist.zip gives "file not found"

file://C:/TEMP/wordlist.zip gives "Unknown host exception"

file:///C:\TEMP\wordlist.zip gives "malformed URL exception"

What's the magic combination?




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Question about word lists

And one more thing. When I attempt to set a password that incorporates
a word that's in the forbidden list, the error message is "New password
has an invalid character." To prevent confusion, this should really
read "New password has a disallowed character or string." Who's with me
on this?





0 Likes
Knowledge Partner
Knowledge Partner

Re: Question about word lists

On 10/26/2017 4:18 PM, Doug wrote:
> On 10/26/2017 14:34, ab wrote:
>> I THOUGHT it replaced it, but maybe I've been extracting the old word
>> list, adding my own file with words in it, and then putting it back
>> for no
>> reason.
>>
>> It should be easy to test at least.  Open an existing wordlist, upload a
>> tiny wordlist of your own, and see if the old worlist's words are
>> accepted
>> (assuming other complexity requirements are met).
>>

>
> I may have answered my own question.  When I click on "LocalDB", it says
> that one of the things stored in the LocalDB is the *custom* wordlist
> (emphasis mine).  So it seems to suggest that the custom wordlist
> augments the built-in one.
>
> I'd like to be sure, but I'm having trouble getting my custom wordlist
> to upload. I've experimented with different URL formats.
>
> file:///C:/TEMP/wordlist.zip gives "file not found"
>
> file://C:/TEMP/wordlist.zip gives "Unknown host exception"
>
> file:///C:\TEMP\wordlist.zip gives "malformed URL exception"
>
> What's the magic combination?
>


I would do file:///c/temp so it is three slashes and ditch the colon.
(Though keep the internal one, useful in life).

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Question about word lists

Geoffrey Carman,

>>
>> file:///C:/TEMP/wordlist.zip gives "file not found"
>>
>> file://C:/TEMP/wordlist.zip gives "Unknown host exception"
>>
>> file:///C:\TEMP\wordlist.zip gives "malformed URL exception"
>>
>> What's the magic combination?
>>

>
> I would do file:///c/temp  so it is three slashes and ditch the colon.
> (Though keep the internal one, useful in life).
>


<grin> Thanks, Geoffrey. Based on my testing, the wordlist (whether
custom or built-in) has little or no value when AD 2008 complexity is
enforced. I've opted to use the "disallowed regex matches" approach
instead. I may disable the wordlist altogether, since it can only slow
things down.

Thanks again to you and Aaron



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Question about word lists


> Based on my testing, the wordlist (whether
> custom or built-in) has little or no value when AD 2008 complexity is
> enforced.


People from our security team are asking me to verify my findings that
the wordlist is essentially useless when AD 2008 complexity is also
enforced, since it does not prevent a password from *containing* a word
in the list, it merely prevents a password from *being* a word in the
list. Is this intended behavior?

Personally, I it's overkill to demand AD 2008 complexity *and* an list
of 850,000 words that cannot be used, but I told them I would check.

Thanks
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Question about word lists

Anybody? Bueller?

0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Question about word lists

Doug;2469353 wrote:

> Based on my testing, the wordlist (whether
> custom or built-in) has little or no value when AD 2008 complexity is
> enforced.


People from our security team are asking me to verify my findings that
the wordlist is essentially useless when AD 2008 complexity is also
enforced, since it does not prevent a password from *containing* a word
in the list, it merely prevents a password from *being* a word in the
list. Is this intended behavior?

Personally, I it's overkill to demand AD 2008 complexity *and* an list
of 850,000 words that cannot be used, but I told them I would check.

Thanks


Here's some notes about the wordlist that may help you.

1) Only one wordlist source is active at a time, either the built-in one, the configured url, or the one you upload.

2) Wordlist checking and AD complexity aren't related and either or both can be enabled.

3) Wordlist checking is a match, not a contains, although you can modify this behavior with the setting 'Settings ⇨ Word Lists ⇨ Word List Word Size Check'.

Hope this helps.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.