Skip to main content

Prevent users from using specific words in a password

There are a few built-in password policy rules which are designed to prevent using specific words in passwords such as:

  • The profile ID or names of the user

  • Selected words listed in a "dictionary"

About the dictionary

Bravura Security Fabric uses a flat file, words.dat to determine if new passwords fail dictionary-based password policy rules. This file is located in the dictionary directory on the primary application server. You can customize this file to suit your needs. Alternatively, you can also create a new dictionary file called custom.dat located in the dictionary directory. If this file presents, Bravura Security Fabric will use this file, instead of words.dat, as dictionary. The main advantage of using custom.dat file is that this file will be retained after upgrade while a customized words.dat will be replaced by the default file.

The encoding of the words.dat text file must be UTF-8

Limitations of using the dictionary

The dictionary file is designed to contain a relatively small list of banned words (like the company name, or some swear words).

It is not designed to prevent users from choosing passwords that:

There are some limits to keep in mind when populating words.dat :

  • There is a low-character-per-line limit, the product does not take into consideration dictionary words of three letters or less.

  • There is no fixed upper (max) limit to the number of words in the file (other than available RAM and CPUs for the services using the password policy), but there is a "soft" limit: around 10 MB. When the file is large, the pages which render password policies will become slow because the pages have to choose and verify (by default) 10 random passwords.

  • The impact to the rendering speed of those pages can be mitigated by reducing the number of passwords to provide as examples, but the best solution to this limitation is to use the haveibeenpwned component or Azure plugin for large data sets, and keep words.dat small, for the uses it was designed to cover.

  • Like any other registry-based or file-based configuration, the dictionary is read at service startup to optimize operations. So, after changing the contents of that file, restart the Ajax service (ajaxsvc) (for the WebUI on any license), Password Manager Service (idpm ) for Bravura Pass , or Privileged Access Manager Service (idarch) for Bravura Privilege when using manual overrides (though Bravura Privilege's randomization allows it to avoid the pitfalls of manually-selected passwords usually).

In this section: