Hey everyone, I'm looking for some advice regarding a situation at my workplace. We're working on implementing a banned password dictionary through Entra, but some of our C-level executives believe that this list should be openly accessible to all employees. They think that by doing this, it will prevent confusion over why certain passwords are rejected. Additionally, they've set a requirement that any changes to the list—whether adding or removing banned passwords—need to go through a committee.
I've expressed my concerns that this approach could lead to security issues, like users starting to question why specific passwords are banned or feeling unfairly targeted. We recently conducted a pentest that revealed some alarming weaknesses, and I worry that blindly following this committee approach could make things worse. Am I overreacting here? What are your recommendations on how to handle this situation?
5 Answers
In general, I think keeping banned words private helps maintain security. Making them public would invite more potential password guessers and could complicate enforcement of the policy.
You're spot on! Security protocols should be enforced without disclosing sensitive info.
Honestly, if they really want a list, just dump a massive document with a ton of banned words in it and let them deal with that! Might wake them up to how ridiculous this all is.
Publishing a banned password list could backfire dramatically. Think about the potential for HR disasters. Better to have a process where users get feedback without a long list in front of them. If they get a message saying their chosen password is banned, they should just accept that without needing to know the details.
Absolutely. Making that list available just opens the door for questions like, 'Why is this specific password banned?' It can cause more confusion rather than solving it.
Right? Users should understand that certain passwords are just off-limits without knowing why. It's simpler and keeps security tighter.
From my perspective, the implementation via Entra doesn't require a public list. It's designed to notify users if they use a bad password without needing a big public list. If they don’t understand how it works, that’s a bigger issue.
Exactly! The demand for a list shows a lack of understanding about password security protocols.
Totally agree. The functionality of Entra makes it pointless to share the list. They should educate themselves on the features instead.
I think making the banned password list public is a bad idea, especially without a solid password policy in place. Allowing a committee to decide on banned words feels risky too—if a password is being added, it suggests someone wants to use it, which compromises security.
Exactly! Password security is more about enforcing clear policies rather than having committee discussions. There's a lot more risk involved when you start a debate about what's acceptable.
I completely agree. If the higher-ups want to know about the lists, they should understand that it might expose them to more risks.
Couldn’t have said it better myself. Having a secretive approach actually protects users, and you wouldn’t want informed employees targeting those passwords.