Overview
I often say that Netwrix Password Policy Enforcer’s Dictionary rule is the product’s superpower. In fact, it blocks the majority of bad passwords. The breached password check is a popular feature and great for warding against credential stuffing attacks but only blocks a small percentage of truly bad passwords (already known breached - not necessarily bad).
What I’m talking about here are passwords like:
Netwrix2025!
An1x!s123
Summ3r2025!
…which match all standard rules, are not yet compromised and generally accepted by password policies. These are also easily guessed.
HOWEVER, end-user friction is troublesome and giving users a way to find good passwords that are also strong may be a challenge with such a strict dictionary. Netwrix, of course, recommends you push to passphrases (16+ characters) instead of short complex passwords or allow the rules to be relaxed above that number.
Two alternatives are to use the tolerance feature on the Dictionary rule to allow words or build your own custom dictionary instead of using just Netwrix.
This can be a daunting task so I’ve built a small application to help with that task. This application is not associated with Netwrix (it’s my own creation) so it comes with no warranties or guaranties of any manner. USE AT OWN RISK.
It might help you build a dictionary that works better for your organization.
Description
The application can be found here: GitHub - rpiddocke/DictionaryBuilder: Builds Dictionary files for Netwrix Password Policy Enforcer
And the latest downloadable exe can be found here: Releases · rpiddocke/DictionaryBuilder · GitHub
The tool does a few simple things:
- Provides a list of files that contain lists of words you can use to build a dictionary file to your liking.
- Combines those lists into a dictionary file Netwrix PPE can use.
- Builds your own custom dictionary with all the term fragments based on the terms you put into it. This saves you from using the powershell I posted in my previous post on Dictionaries.
It looks like this:
- It has a bunch of default wordlists in it (curated by AI) and the Oxford Dictionary (source: GitHub - dwyl/english-words: 📝 A text file containing 479k English words for all your dictionary/word-based projects e.g: auto-completion / autosuggestion)
- You can select the word lists you want to use to generate a dictionary (eg. Months and common passwords) and generate a dictionary file PPE can use:
- You can also generate a word list based on your organizations terms by clicking the Create Word List button and entering your terms into it. It will then add that list to the others and allow you to select it. You will still need to generate a dictionary.
This will generate a word list WITH term fragments to add intolerance to partial words. Eg. in this case, Netwr and Imana will also get blocked by this dictionary.
- Finally, it also has a delete button. If you want to remove a wordlist you built but don’t like you can select it and delete it. Careful, there is no return from this deletion.
Conclusion
After you’ve built your dictionary file, move it to your DC’s and set the path in PPE for the Dictionary Rule. Test out your new policy with some passwords or bulk test against a password list.
Give it a try and tell me what you think.