Why is password blacklisting so important?
(Last updated on December 6, 2018)
With high profile data breaches on the rise, it is convenient to place all the blame on companies for failing to protect their data. However, even with most security measures in place, many of the major breaches come down to one simple (and overlooked) factor: The password. While hackers can gain access to sensitive information through various means, credential combinations obtained from existing breaches is the easiest, and most common.
In August 2018, British Airways suffered from a breach that compromised the personal and financial data of 380,000 customers who made bookings on their website and app. This data included email addresses, names, billing addresses, and bankcard information. Hackers now can use the email list from the breach, in combination with common password combinations, on various websites in an effort to steal more data.
Password reuse across multiple systems heightens this attack vector. A cautionary tale is the 2012 Dropbox breach. It came down to one careless employee that had used their LinkedIn password (that suffered from a breach earlier in the year) for their corporate Dropbox account. This led to the theft of 60 million user credentials. With password reuse, it only takes one compromised password to lead to a company breach. This is why it is so important, now more than ever, to block the use of compromised passwords in business systems.
When it comes to federal organizations, the National Institute of Standards and Technology (NIST) requires checking prospective passwords against a list of commonly used or compromised passwords. Potential lists can include passwords obtained from a previous breach, dictionary words, repetitive characters, and context-specific words such as usernames. The National Cyber Security Centre (NCSC) in the UK recommends a similar approach – replacing password complexity for a dictionary of leaked passwords.
Regardless of which regulations your organization falls under, blocking dictionary lists can help keep out the most vulnerable passwords – whether these are on a leaked password list, or a list of weak passwords. If you are not doing this today, it is time to look into Specops Password Policy, especially if you do not want to join the long list of organizations who have experienced a breach of not just data, but also the trust of their consumers. With the Specops Password Blacklist feature, you can now block more than 1 billion leaked passwords including the haveibeenpwned list.
Passwords are the thin layer protecting your organization’s sensitive data from the unknown. It is no surprise that many of the recent data breaches are the result of their compromise. In 2016, three billion credentials were stolen worldwide. The cycle continues as stolen credentials in one breach are then tested against other log-ins. With a…Read More
As long as people reuse their passwords, dictionary attacks will work. Password blacklisting is an effective way to shift the burden from users and prevent dictionary attacks.Read More
As long as users continue using common/predictable passwords, dictionary attacks will continue to work. However, hackers are not the only ones who can take advantage of password predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. This means checking future passwords against such dictionaries, and preventing users…Read More