Today is World Password Day which is a great occasion to be briefing our staff on the dangers of reusing passwords.
The National Cyber Security Centre (NCSC) have reported on the most commonly used passwords found that have been accessed by third parties in global cyber breaches. Their breach analysis showed 23.2 million victim accounts worldwide used 123456 as a password. They have also listed the most used names, premier league football teams and even musicians and fictional characters.
A recent study in the UK by OnePoll found users manage an average of 14 online accounts (eg, emails, banking, bills, shopping, entertainment, etc.). They then have to remember around nine different passwords across these. No wonder two in five (38%) users forget their passwords at least once a month.
Why weak passwords are a danger to your business
Reusing passwords is still a major risk for individuals and companies. The NCSC report has collated a list of 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. The compromised passwords were obtained from global breaches that are already in the public domain having been sold or shared by hackers.
The list was created after breached usernames and passwords were collected and published on Have I Been Pwned by international web security expert Troy Hunt. The website Have I Been Pwned allows people to check if they have an account that has been compromised in a data breach.
The report shows that even being more creative with your password still runs the risk of a breach; ‘oreocookie’ was still seen over 3000 times.
Attackers use lists like these when attempting a cyber breach. This can help them breach a perimeter or move within a less well defended network.
How password blacklists can help your users to make sensible password choices
Using this NCSC list can help users create safer passwords but don’t use it in isolation. However, for a start, if you see a password that you use on this list, you should immediately change it.
IT managers can now use this list to check whether their users have a weak password and can help them create new, safer passwords. Recognising the passwords that are most likely to result in a successful account takeover is an important first step in IT security.
- Update your password policies
- The NCSC give guidance on what to include to help users choose good passwords
- Ensure employees can’t use known bad passwords
- Use password blacklists
- NIST recommend using password blacklists, such as this NCSC list or Have I Been Pwnd to ensure users don’t pick a password that is commonly found in data breaches. Then add these into your authentication flow
- Use Password Managers
- Choose a good, strong password
- Choosing a password is hard. The NCSC urges using 3 random words to create a password. They also advise creating a hard-to-guess password, particularly to secure important data, such as personal or banking details. Choose something creative & memorable to you but something others cannot guess (not your first name, football team or favourite band).
- Choose different passwords for different accounts, especially your email account or financial accounts with sensitive data
- 25% of employees use the same password for all logins
- Use a modern approach to authentication (including multi-factor authentication)
- Make your staff aware of how attackers use passwords obtained from beaches to make it relevant & ensure users adopt a good password policy
See how vulnerable you are. Find out now which users are using hacked passwords
Try KnowBe4’s free tool: New Breached Password Test (BPT) to see which of your users are currently using passwords that are in the publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so you can take action immediately.