A password blocklist is a rejected list of common, leaked, or easily guessed passwords that users are prevented from choosing. In practice, it is a direct control against predictable credential selection and is more effective than forcing arbitrary character patterns that do not change guessability.
Expanded Definition
A password blocklist is a rejection list of passwords that are too common, too exposed, or too easy to guess, preventing their use at account creation or reset time. In identity programs, it is a targeted defence against predictable credential selection, not a broad password-policy substitute.
Its value is strongest when paired with breach intelligence and risk-based authentication, because the goal is to stop credentials that attackers already try first. Guidance across vendors is broadly aligned on the concept, but implementation details vary: some products compare against curated dictionaries, others against known-compromised password datasets, and some combine both with strength scoring. For a standards-oriented view of identity controls, organisations often map this practice to NIST Cybersecurity Framework 2.0 identity and access outcomes, while recognising that no single standard governs blocklist content yet.
For NHI security teams, the adjacent risk is credential reuse across humans and machines, because a blocked human password does not address exposed API keys, service account secrets, or automation credentials. The most common misapplication is treating a blocklist as a complete password policy, which occurs when organisations still allow weak but novel passwords that are merely hard to match against a limited dictionary.
Examples and Use Cases
Implementing a password blocklist rigorously often introduces user-friction at onboarding and reset time, requiring organisations to weigh stronger resistance to guessing against a modest increase in help desk and retry overhead.
- Blocking passwords that appear in known breach corpora during self-service account creation.
- Rejecting obvious variants such as seasons, company names, and keyboard patterns that attackers routinely guess.
- Using blocklists alongside MFA in workforce directories to reduce the value of a stolen password alone.
- Applying similar rejection logic to admin portals where privileged accounts face higher guessing pressure.
- Extending the same mindset to NHI governance by using the Ultimate Guide to NHIs to frame why predictable credentials and long-lived secrets both expand attack paths.
These examples align with the broader identity guidance in NIST Cybersecurity Framework 2.0, but the exact enforcement threshold still varies across platforms and policy engines.
Why It Matters in NHI Security
In NHI environments, password blocklists matter because predictable human credential habits often mirror broader weak-secret behaviour in automation stacks. When teams accept weak passwords, they usually tolerate weak secret hygiene elsewhere, including shared tokens, checked-in credentials, and reused service account passwords. That pattern increases the likelihood that one compromise can pivot into systems that were assumed to be non-interactive or isolated.
NHIMG research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, underscoring how often weak credential discipline becomes a business problem rather than a theoretical one. The Ultimate Guide to NHIs also reports that 96% of organisations store secrets outside secrets managers in vulnerable locations, which means weak selection and weak storage often coexist.
A strong blocklist is therefore a governance signal, not just a login feature. It helps demonstrate that an organisation can exclude known-bad credentials before they become footholds. Organisations typically encounter the need for this control only after a password reuse incident, at which point blocklist enforcement becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Password screening supports identity proofing and authentic credential use. |
| NIST SP 800-63 | 5.1.1.2 | The digital identity guidance addresses memorized secret verifiers and weak-password blocking. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak secret selection and reuse are core NHI exposure patterns. |
| OWASP Agentic AI Top 10 | AA-03 | Agent access often depends on secrets that should not be guessable or reused. |
| NIST Zero Trust (SP 800-207) | SC-1 | Zero trust depends on strong, non-predictable authentication inputs. |
Treat password blocklists as one control that reduces trust in weak credentials.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org