Why is a leaked password list so important?
(Last updated on September 30, 2020)
With high profile data breaches on the rise, it is convenient to place all the blame on companies for failing to protect their data. However, even with most security measures in place, many of the major breaches come down to one simple (and overlooked) factor: The password. While hackers can gain access to sensitive information through various means, credential combinations obtained from existing breaches is the easiest, and most common.
In August 2018, British Airways suffered from a breach that compromised the personal and financial data of 380,000 customers who made bookings on their website and app. This data included email addresses, names, billing addresses, and bankcard information. Hackers now can use the email list from the breach, in combination with common password combinations, on various websites in an effort to steal more data.
Password reuse across multiple systems heightens this attack vector. A cautionary tale is the 2012 Dropbox breach. It came down to one careless employee that had used their LinkedIn password (that suffered from a breach earlier in the year) for their corporate Dropbox account. This led to the theft of 60 million user credentials. With password reuse, it only takes one compromised password to lead to a company breach. This is why it is so important, now more than ever, to block the use of compromised passwords in business systems.
When it comes to federal organizations, the National Institute of Standards and Technology (NIST) requires checking prospective passwords against a list of commonly used or compromised passwords. Potential lists can include passwords obtained from a previous breach, dictionary words, repetitive characters, and context-specific words such as usernames. The National Cyber Security Centre (NCSC) in the UK recommends a similar approach – replacing password complexity for a dictionary of leaked passwords. The NCSC has gone so far as to team up with security expert, Troy Hunt, and release a file containing the top 100,000 passwords from Hunt’s Have I Been Pwned password list. Releasing the top 100,000 password list, and some interesting data regarding password behavior of UK citizens, is an effort to raise awareness around password security in general and the importance of a deny password list in particular.
Password reuse is the problem
Attacks often start with using a password list from a previous breach to attack a new target. A password dictionary attacks work because 80% of people continue to reuse passwords across different services, both personal and professional. The attacker doesn’t need the exact match of your username and password to be successful. An easier approach is a password spraying attack where the attacker chooses a common password, that is still complex enough to meet most corporate requirements, and tests this password against all of the usernames in an organization. The success of the attack is dependent on the high probability of common passwords in use among large user sets and the attack going unchecked since it does not rely on repeated attempts to log into the same account. Even if all users were to stop reusing passwords today, lists from all previous data breaches will still be used for future attacks.
Blocking dictionary lists can help keep out the most vulnerable passwords – whether these are on a leaked password list, or a list of weak passwords. If you are not doing this today, it is time to look into Specops Password Policy, especially if you do not want to join the long list of organizations who have experienced a breach of not just data, but also the trust of their customers. With the Breached Password Protection service, you can now block more than 2 billion leaked passwords including the Have I Been Pwned list.