The Importance of Updating Your Breach Password Dictionary

The Importance of Updating Your Breach Password Dictionary

With breaches and cyber-attacks continually increasing every year, a constant stream of compromised passwords finds their way to the dark web for purchase and use. This should NOT be a surprise. 80% of breaches involved stolen or misused credentials1. And this makes sense … why use advanced attack techniques when stealing credentials and assuming user identities is easier, less detectable, and still works?

Stealthbits leverages the “Have I Been Pwned” breach password dictionary within StealthAUDIT and StealthINTERCEPT Enterprise Password Enforcer to search for the existence of and proactively prevent the use of over 500 million passwords from being used inside our customers’ Active Directory environments. As of Friday, June 19th, Troy Hunt – the dictionary’s creator and curated – added 17.3 million more bad passwords to the list, bringing the total to 572 million known bad or compromised passwords.

National Institute of Standards and Technology (NIST) Password Guidelines

“…it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.”

NIST Special Publication 800-63B

Any of Your Passwords on a Breached List?

It is hard to know if your organization’s credentials are at risk if you don’t check! With over 17 million new ones you not only want to check current passwords but also use the HIBP database to prevent any of the 572 million compromised passwords from being used today or any time in the future.

Same Old, Same Old?

While some password favorites are seen repeatedly…

  • “123456” has been seen 23+ million times, and I’m amazed at how many still try and use it
  • “p@ssw0rd” & “P@ssw0rd” have been used over 53 thousand times respectfully

…maybe more importantly are the ones that are seen less frequently…

  • 90% (515 Million) of passwords have been seen 6 or fewer times
  • 95% (544 Million) of passwords have been seen 11 or fewer times
  • 99% (566 Million) of passwords have been seen 40 or fewer times

It’s easy enough to write rules to detect or exclude the most common 4.6 million passwords seen more than 50 times. Unique passwords that comprise over 99% of the database and are excellent for offline attacks. 34% of respondents said they share passwords or accounts with their coworkers2. 62% reuse the same password for work and personal accounts3. This means a breach at Gmail, LinkedIn, Sony, Home Depot, etc… can expose your user’s corporate passwords and more likely if the passwords are shared.

Stealthbits Can Help

Both StealthINTERCEPT and StealthAUDIT can leverage the “Have I Been Pwned or HIBP” breach dictionary. StealthAUDIT inspects the current set of AD passwords to see if any compromised ones are in use. Then StealthINTERCEPT prevents any new compromised passwords from even being used. Passwords are still the first line of defense against cyber-attacks, so it’s important to ensure your users are employing good ones.

In addition to checking passwords against a breach dictionary, Stealthbits can also:

  • Educate users why their password choice fails and how to fix it
  • Test new password policies to identify problems before production rollout
  • Detect password reuse within the organization
  • Control character substitutions because attackers can just as easily replace letters with symbols
  • Highlight settings that impact credential security
  • Integrate and share with other security systems (e.g. SIEM)

Next Steps

  • StealthINTERCEPT Enterprise Password Enforcer Webpage
  • StealthINTERCEPT Enterprise Password Enforcer Datasheet
  • Request a Demo or Trial of StealthINTERCEPT of StealthAUDIT

1https://backendnews.net/2019/09/26/survey-80-of-breaches-caused-by-privileged-credential-abuse/

2https://www.surveymonkey.com/curiosity/why-people-share-passwords-with-coworkers/

3https://www.darkreading.com/informationweek-home/password-reuse-abounds-new-survey-shows/d/d-id/1331689


Appendix

For fun, let’s take a look at the most popular passwords and how often they are used. Do your users leverage any of these?

Clear Text PasswordHashNumber of Occurrences
12345632ED87BDB5FDC5E9CBA88547376818D4                           23,597,311
123456789C22B315C040AE6E0EFEE3518D830362B                             7,870,694
qwerty2D20D252A479F485CDF5E171D93985BF                             3,946,737
password8846F7EAEE8FB117AD06BDD830B7586C                             3,759,315
1111112D7F1A5A61D3A96FB5159B5EEF17ADC6                             3,124,368
12345678259745CB123A52AA2E693AAACCA2DB52                             2,944,615
abc123F9E37E83B83C47A93C2F09F66408631B                             2,877,689
1234567328727B81CA05805A68EF26ACB252039                             2,516,606
password15835048CE94AD0564E29A924A03510EF                             2,418,984
123457A21990FCD3D759941E45C490F143D5F                             2,389,787
12345678908AF326AA4850225B75C592D4CE19CCF5                             2,264,884
123123579110C49145015C47ECD267657D3174                             2,238,694
0000003FA45A060BD2693AE4C05B601D05CA0C                             1,959,780
iloveyouB963C57010F218EDC2CC3C229B5E4D0F                             1,645,337
12347CE21F17C0AEE7FB9CEBA532D0546AD6                             1,296,186
1q2w3e4r5t3E24DCEAD23468CE597D6883C576F657                             1,199,289
qwertyuiop0D757AD173D2FC249CE19364FD64C8EC                             1,108,463
1233DBDE697D71690A769204BEB12283678                             1,042,952
monkeyF2477A144DFF4F216AB81F2AC3E3207D                                992,381
dragonF7EB9C06FAFAA23C4BCF22BA6781C1E2                                984,209

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other