Selecting an effective password can be challenging.
The NCSC has emphasized through various blogs and guidance that it’s crucial to modify password policies to ensure users are encouraged to select secure passwords. One of the strategies includes the utilization of password deny lists, which prevent users from choosing passwords that are frequently exposed in data breaches. This practice is also supported by the National Institute of Standards and Technology (NIST), which recommends.
In partnership with Troy Hunt, we are unveiling a document that contains the top 100,000 passwords from his Have I Been Pwned database. If you find that one of your passwords is on this list, it is vital to change it immediately. This blog will explain the importance of this action and address frequently asked questions regarding password deny lists.
If you’re looking to download the file directly, you can find it here: PwnedPasswordsTop100k.txt.
Why is password re-use a significant issue?
Password re-use poses serious risks for both individuals and organizations. For instance, the password ‘123456’ has appeared 23 million times across various breaches documented by Troy Hunt. You may believe that opting for a more intricate password like ‘oreocookie’ is safer, yet this password has been identified over 3,000 times.
Cyber attackers frequently utilize such lists when attempting to breach networks or infiltrate less secure systems. This is particularly common in environments where both corporate and operational or Industrial Control Systems (ICS) exist. In these scenarios, attackers have successfully infiltrated the corporate segment and transitioned into internal networks due to inadequate segmentation, which allows a single weak point (like a compromised password from these lists) to compromise security. A notorious instance involved the TRITON/TRISIS malware, where attackers initially breached an external VPN before moving laterally through poor segmentation.
Although it remains unclear how those VPN credentials were acquired, adopting a contemporary authentication strategy (including multi-factor authentication) can significantly mitigate the risk of unauthorized access stemming from compromised data, poor password practices, or insufficient strong authentication measures.
Does sharing breached passwords benefit criminals?
These passwords are already accessible to the public. By raising awareness regarding how attackers exploit passwords gathered from breaches, we can complicate matters for those criminals, assisting you in minimizing risks to your clients or staff.
Why not utilize an existing list of breached passwords?
Through our collaboration with Troy, we offer the most current list supported by a reliable data source, which the NCSC trusts. Additionally, we can incorporate this list into our NCSC guidance.
However, other passwords that might be more specific (like employees incorporating their company name into their password) or seasonal (‘Spring2019’, etc.) may not be included in a global breach list but could still be targeted by attackers. This list should serve as a good starting point, though not an exhaustive solution for deny lists.
Why limit ourselves to 100,000 passwords instead of 1 million?
It’s essential to strike a balance between safeguarding users from poor password choices and not making it overly complicated for them to select one. We believe that a list of 100,000 strikes a suitable balance. Users will find it manageable, while the password quality remains sufficiently high, allowing other measures (like monitoring and rate limiting) to address much of the remaining risk.
I’m a developer. What actions should I take with these files?
If your application is unlikely to have internet access when deployed (or you prefer not to depend on external services), you can implement a check against these files in your authentication process. How to manage cases regarding matching passwords is up to your discretion, but enabling users to access tools like password managers is recommended.
If you prefer using an external service, consider options like Troy Hunt’s Pwned Passwords API. Troy offers a valuable blog that showcases how different companies have applied this feature, which may assist in designing your authentication flow.
Alternatively, focus on reducing user burden by exploring alternative authentication methods (such as single sign-on) and staying informed about emerging standards like WebAuthn. More information on this will be provided in the future.
I’m a SysAdmin. What should I do with these files?
Andy P’s article on password spraying discusses a study that examined checking Active Directory (AD) passwords against common password lists. You can utilize the pwauditor tool he mentions and adapt it to incorporate this list. Alternatively, you can devise a solution through your authentication provider, as some may provide deny list checking capabilities. For instance, if you’re utilizing Azure AD, Microsoft has launched a new password protection feature that allows you to establish a password deny list. Additionally, transitioning users to options like Hello for Business can help eliminate the need for passwords altogether.
As with developers, there are ways you can assist in alleviating password overload as a SysAdmin. The NCSC has released a collection of password-related guidelines for system administrators.
How does blocking these passwords benefit users?
It is essential to prevent poor password selection among friends. Although this approach may introduce some obstacles when users are choosing passwords (less frustrating than overly complex password criteria), it effectively guides individuals towards more secure choices. Ultimately, this enhances the protection of your organization’s data and critical infrastructure.
We also hope to stimulate conversations around this topic. The success of security relies on community action—whether that involves helping individuals recognize how frequently their passwords are used or simply boosting their confidence in selecting secure passwords for both work and personal use.
Dan U
Senior Security Researcher
Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
