On the Blacklist

The National Cyber Security Centre says maintaining a password blacklist is an essential part of good password security. We take a look at what should be on your blacklist and how to go about enforcing it.

A password blacklist is simply a list of passwords that should not be used.

It should encompass all commonly used passwords – like “password” or “123456” – or passwords identified in data breaches, so that users cannot use insecure passwords as part of their login credentials.

Why use a password blacklist?

Cyber attackers will try to gain access to a user’s account and – from there – the wider corporate network by exploiting weak and insecure passwords. Also, as it is still common for users to replicate the same password for everything, other personal accounts may also be compromised.

Password spraying is one approach hackers will use. A small number of common passwords are used against a large number of accounts using brute force.

More targeted attacks are also a threat as the computing power available to cyber criminals increases. This makes password cracking even easier – and good password practice even more important.

The role of password blacklists in good password practices

The National Cyber Security Centre (NCSC) recommends that all organisations make it easy for their users to choose good passwords. It says making sure users don’t use blacklisted passwords is a key part of this.

To help in this endeavour, the NCSC has released a database of 100,000 blacklisted passwords in conjunction with Troy Hunt from the Have I been Pwned website. You can find out how to download this file on the NCSC website.

The dataset behind these blacklisted passwords shows how important using a blacklist can be. Even when people know they need to use secure passwords, they can still get lazy when choosing a password. In the dataset of breaches gathered by the Have I Been Pwned site, the password “123456” was found to have been used more than 23 million times.

By creating and implementing a password blacklist you can make your organisation less vulnerable to breaches as a result of this type of poor password practice.

The risk to your business

The NCSC asked organisations participating in its UK Cyber Survey to collect data from their Microsoft Active Directory user administration to review the passwords used in their corporate environments.

The results were worrying. 87 percent of organisations unearthed passwords that featured in the top 10,000 most commonly used passwords. And 75 percent of organisations discovered staff were using passwords found in the top 1,000 most commonly used passwords.

This leaves many corporate environments vulnerable to hackers who want to breach the network perimeter by taking advantage of poor password choices. Once in, attackers can steal data or even – if there is poor network segmentation – move laterally around the network to access more sensitive systems. The data is then used maliciously or sold on the DarkNet to someone else.

Using a password blacklist

The NCSC dataset offers 100,000 passwords that it thinks should be blacklisted.

It is important to add to this list with other more localised weak password choices. For example, NCSC warns how common it is to find people using the company name or product names in their password choices. Similarly, months, seasons, locations, home towns, local football teams or celebrities can all be common – and, therefore, weak – choices, yet they are unlikely to turn up on any national blacklist given the limitation of their seasonal/ local relevance.

This makes it really important for the owner of your organisation’s password blacklist to add to the generic blacklist with their own specific set of blacklisted passwords.

If you’re using Azure AD, you can use the new password protection feature that allows you to define your own password blacklist. This allows you to specify 1,000 custom blacklisted passwords in addition to the Microsoft global banned password list and prevent users from using them. To use this feature, you will need an Azure Active Directory Premium P1 or P2 license.

To help you create a custom password blacklist, the NCSC have released guidance about passwords that may be useful.

Make it easy for users to choose good passwords

If you are new to implementing a password blacklist be aware that users may feel some frustration initially if their first choice of password is rejected. There is an education piece around the roll out of such a system, to help users understand how common their chosen password actually is and what the risk are associated with that.

Make it clear that a small restriction on the password choices they make can have significant security implications and, in fact, is a small price to pay for ensuring that your organisation’s data and critical infrastructure is better protected.

Whatever passwords are used, we’d also recommend that businesses employ two-factor authentication (2FA) for additional peace of mind.

If you’d like to know more about password security or general cyber resilience, the Grant McGregor team are on hand to help.