The dictionary rule is one of the most powerful features of Netwrix Password Policy Enforcer. It checks password fragments against Netwrix’ own curated dictionary of over 267,000 known bad password patterns. This means passwords like Summer2025, Summ3r2025, and 5ummer2025! are going to be blocked. These are broadly used password patterns that bad actors know are being used.
Netwrix’ built in dictionary will catch most of these bad patterns but being able to add your own company name, key people’s names, product names, project names and any other unique terms to your organization is also important. For ease of management, you can create your own dictionary as well. However, depending on the length of your terms and the tolerance you set, the matches may be few so we need to be sure to add all possible fragments in the dictionary so you get matches.
For example, If I want to block passwords similar to this:
Netwrix
Netwrix2025
Netwrix123
Netwrix123!
N3twr1x2025!
n3tWr!x1234
…adding NETWRIX to the secondary dictionary will be sufficient as it will match all the partial hits. Even patterns like this:
Net123!wrix
Net2025wr!x
n3t2025wrix!
… will get blocked.
However, if you have patterns like this:
Netwri
Netrix2025
Nwrix123
Nerix123!
N3twr2025!
n3tr!x1234
will not because all the characters of the blocked term match none of the password fragments within the threshold.
Therefore, to block all these variations, you need to add the fragments of the blocked term to the dictionary. So your dictionary would look like this:
NETW
NETWR
NETWRI
NETWRIX
ETWR
ETWRI
ETWRIX
TWRI
TWRIX
WRIX
Doing this is easy and here’s a powershell script to help:
param(
[string]$FilePath
)
function Generate-WordFragments {
param(
[string[]]$Words
)
$fragments = @()
foreach ($word in $Words) {
$length = $word.Length
for ($i = 0; $i -lt $length; $i++) {
for ($j = $i + 4; $j -le $length; $j++) {
$fragment = $word.Substring($i, $j - $i).ToUpper()
if (-not $fragments.Contains($fragment)) {
$fragments += $fragment
}
}
}
}
return $fragments
}
# Check if the file path was provided and exists
if (-Not $FilePath) {
Write-Error "Please provide a file path as a parameter."
exit
}
if (-Not (Test-Path $FilePath)) {
Write-Error "The file path does not exist. Please provide a valid file path."
exit
}
# Read words from the text file
$words = Get-Content -Path $FilePath
# Get the fragments
$fragments = Generate-WordFragments -Words $words
# Construct the output file path
$originalDirectory = Split-Path -Path $FilePath -Parent
$originalFileName = [System.IO.Path]::GetFileNameWithoutExtension($FilePath)
$originalExtension = [System.IO.Path]::GetExtension($FilePath)
$newFileName = "${originalFileName}_new${originalExtension}"
$newFilePath = Join-Path -Path $originalDirectory -ChildPath $newFileName
# Write fragments to the new file
$fragments | Out-File -FilePath $newFilePath
Write-Output "Fragments have been written to $newFilePath"
To use this script, save it as a ps1 file, and call it with the following syntax:
.\GenerateDictionary.ps1 -FilePath “C:\path\to\your\file.txt”
It will output the new file as ‘file_new.txt’ and you can use that as the dictionary.
Then you can use this dictionary to block the term you want and all the fragments of that term if necessary.
This may or may not be necessary depending on your needs and how intolerant you want to be. Sometimes it’s better to allow some variations as not to frustrate users.