Recently, I was doing some research on password security using breached password databases to understand the value they bring when trying to improve overall password security. One very good database is the “Have I been pwned” database.
I’ve Been Pwned
For those of you who have not used this excellent public resource, it’s a collection of over 551 million unique breached password hashes.
The website allows you to see if your username or password has been exposed in a data breach. They also make all 551 million hashes available for download.
Similar to many researchers — I discovered few interesting things.
As shocking as it may sound, the hashed password ‘123456’ is the most popular password and has been seen over 23 million times.
This fact I don’t take seriously. I view this as a throw-away password for sites that obviously do not take seriously the security and users who likely had little on the site to secure.
I refuse to believe anyone could ever think a password so simple could secure anything.
One thing I did learn when looking at the most popular breached passwords is when it comes to creating crappy passwords, we all do very similar things. Just look at the 50 most popular passwords and the number of times each was used.
How Should You Leverage a Breach Database to Help You Better Secure Active Directory?
Forget the headlines and frequently used passwords. 94.5% of all passwords in the Have I been Pwned database have been seen 10 or fewer times, of which 76.6% (422 million) have been seen three or fewer times.
This means there are hundreds of millions of unique passwords that should not be allowed based on NIST 800-63b guidelines.
Implementing a password policy is not new for any organization but preventing the use of known breached passwords for many organizations will be something new and a step in the right direction.
The number of known breached passwords continues to grow… this means a password that was allowed today could be part of a breach database in a future update. This means there will be a need to perform ongoing scans of existing password hashes against breach databases.
You need to take a dual approach: To catch passwords as they are created and scan to detect as your breach database grows.
Let’s Stop Looking at the Top of the Iceberg and Look Below the Water Line
When you start by looking at passwords that have only been seen once, the collection of those make up 35% (194,341,339) of the password hashes in the Have I been Pwned database.
The fact that they have been seen only once across 551 million passwords means that they are truly unique.
While most people look at the silly simplistic examples at the top end of the list, the real insight comes from looking at the bottom of the list.
The new password guidance coming from the US Department of Commerce, National Institute of Standards and Technology, NIST 800-63b has caused organizations to take another look at passwords. Part involves new policy, while another part is user education.
What the world has done, for the better part of 3 decades, with passwords has not exactly worked well. I think that’s a smart idea to rethink corporate password policies.
At STEALTHbits, we believe that complex, unique passwords are the cheapest and fastest way to improve your security. Our StealthINTERCEPT Enterprise Password Enforcer (EPE) can:
- Protect against credential stuffing attacks
- Enforce password hygiene
- Prevent the use of known compromised passwords
- Block passwords using a custom password list
- Notify administrators of password security risks
- Integrate with your SIEM
So, what happens when the breached database grows from 551 million to 590 million? How do you find out if existing passwords are in the newly refreshed database? The only way to know is to look at the existing hashes and compare to the breached database which can be done with StealthAUDIT.
Rod Simmons is VP of Product Strategy at Stealthbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining Stealthbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.