How Many Passwords Should be in a Password Blacklist?

A password blacklist should contain all of the passwords that a hacker will use to gain access to a system, but how many is the right number? The answer should be as many as possible, but current advice is conflicting.

When the UK’s National Cyber Security Centre (NCSC) announced the findings of their recent survey, UK Cyber Survey, weak passwords were also cited as the most frequently used passwords. The governmental agency calls out password reuse as the problem, and recommends blacklisting common passwords and encouraging users to use three random words as passwords instead. Together with the survey and findings, the NCSC released a password blacklist consisting of 100,000 passwords for organizations to use in their own environments to prevent password spraying attacks.

Password Spraying

Password spraying is an attack method where a small number of common passwords are used against a large number of accounts with brute force. The attacker doesn’t need the exact username and password match, since the probability of common passwords is very high in any large number of accounts.

The NCSC revealed that 75% of the participating organization’s had passwords found in the top 1000 most common passwords, while 87% had passwords that featured in the top 10,000 passwords. It’s worth noting that the organization’s that participated in the survey ran a PowerShell script to collect the password data from their Active Directory. This means that these common passwords are currently in use in corporate environments, not personal online accounts, which is often the case for reports of the most common passwords.

Password spraying attacks have become more advanced as attackers know that the basic corporate password policy will stop a password such as 12345678, while a password like Liverpool19 is accepted by most password policies. This means that attackers choose common passwords that still meet the requirements of most corporate password policies, i.e. more than eight characters, including uppercase and lowercase letters and numbers. Increasing the complexity of password requirements doesn’t guarantee the password will be harder to crack but does make it harder for a person to remember, as noted in the UK Cyber Survey.

Password Reuse and Password Leaks

How did we end up in this situation? The very simple reason is that password reuse is such a big part of our digital lives. Personal and corporate passwords are interchangeable as people try to cope with hundreds of accounts that require a username/password combination.

While password reuse in itself makes cybersecurity experts shake their heads and cringe, the real danger comes from the fact that attackers publish passwords from company, service and website breaches. Password reuse ensures that a LinkedIn password will open the backdoor to Dropbox while the NCSC survey confirms that these same common passwords are being reused in corporate environments.

1000, 100,000 or 1 billion?

It is possible to prevent password spraying attacks, as well as credential stuffing, which is when stolen usernames and passwords are tested against other sites. The solution is to use protective monitoring and password blacklisting. The number of passwords in the blacklist that you should test against is open to debate.

The NCSC teamed up with cybersecurity expert Troy Hunt to release a list of the 100,000 most common passwords. They believe that number strikes the right balance between blocking common passwords, and avoiding user frustration. However, 100,000 passwords is only a small subset of billions of leaked passwords already in circulation. When a single weak point can breach the entire corporate network, it’s better to cast a wider safety net.

Specops Software has been in the password business for more than 10 years. Securing active directory passwords is our area of expertise, guiding us when we launched our password blacklist service in 2018. We believe a password blacklist should be as comprehensive as possible, including leaked passwords in many different languages, passwords from obscure leaks, and even leetspeak variations of passwords. The blacklist should also be updated regularly to take into account new leaks. Specops Password Blacklist is a hosted service made up of more than one billion leaked passwords including the password list that Troy Hunt maintains, haveibeenpwned and the Collection #1 list.

Using a comprehensive password blacklist doesn’t need to create user frustration – it actually improves usability. It allows you to relax complexity rules since you would have kept most of the weak passwords out already. Specops Password products give you the option to combine password blacklisting with passphrase support, allowing you to not only lesson complexity rules but also password expiry when a password exceeds the minimum password length.

As cyber-attacks have evolved over the years, so too have the recommendations for preventing attacks. With governmental agencies, such as the NCSC, recommending password blacklisting, it’s high time to implement a password blacklist that will eliminate all leaked passwords from use in your corporate environment.

Brought to You by

What’s Hot on Infosecurity Magazine?