“Passwords, passwords everywhere: How password blacklists can help your users to make sensible password choices.”
NCSC Blog, April 21, 2019
By Dan U
“A list of 100,000 passwords from Troy Hunt’s “Have I Been Pwned” data set. If you see a password that you use in this list you should change it immediately. ”
Choosing a good password is hard.
Throughout our blogs and guidance, the NCSC have said how important it is to change your password policies (if necessary) to make it easier for users to choose ‘good’ ones. This includes using password blacklists (that is, making sure your users can’t choose any passwords commonly found in data breaches), something that the National Institute of Standards and Technology (NIST) also recommend.
Today, in collaboration with Troy Hunt, we’re releasing a file containing the top 100,000 passwords from his Have I Been Pwned data set. If you see a password that you use in this list you should change it immediately. This blog explains why you should do this, and answers some common questions about password blacklists.
(If you just want to download the file, you can do so here: PwnedPasswordsTop100k.txt).
Why is password re-use a problem?
Password re-use is still a major risk for individuals and companies. The password ‘123456’ has been found 23 million times in the breaches that Troy’s collected. You might think that choosing a more complex password such as ‘oreocookie’ is better, but even that has been seen over 3,000 times.
Attackers commonly use lists like these when attempting to breach a perimeter, or when trying to move within a network to potentially less well defended systems. It’s especially common in networks where there’s a corporate component and an operational or Industrial Control System (ICS) component. In such deployments, attackers have been able to breach the corporate network and move laterally to the internal network due to poor network segmentation, where a single weak point (such as a password from one of these lists on a box in a DMZ) has enabled traversal. In the first occurrence of the TRITON/TRISIS malware, the attacker breached the external perimeter VPN and then pivoted internally using RDP due to poor segmentation.
While in this case it’s unknown how the perimeter VPN credentials were obtained, by using a modern approach to authentication (including the use of multi-factor authentication), you can reduce the risk of intrusion into your networks from an attacker taking advantage of breached data, poor password choices, or lack of strong authentication methods.
Does releasing breached passwords help criminals?
These passwords are already in the public domain. By building awareness of how attackers use passwords obtained from breaches, we can make it harder for those attackers, and help you to reduce the risk to your customers or employees.
Why not use an existing list of breached passwords?
Through our collaboration with Troy, we can provide the most up-to-date list that’s backed by a data source that the NCSC has confidence in. We can also refer to it across our NCSC guidance.
However, there will be other passwords that are more specific (such as employees in an organisation using the company name in their password) or time limited (‘Spring2019’, etc.) that will rarely be in a global breach list, but attackers may still try to use. This list isn’t going to be the be all and end all of blacklists, but it should provide you a good starting point.
Why stop at 100,000 passwords? Why not 1 million?
There has to be a balance between protecting users from making poor password choices, whilst not making it too difficult for them to choose one. We think that 100,000 achieves a good balance. Users won’t be too frustrated, but the quality of passwords is still high enough such that other mitigations (such as monitoring and rate limiting/throttling) can handle much of the leftover risk.
About the Author:
National Cyber Security Centre, The UK’s independent authority on cyber security.