With breaches and cyber-attacks continually increasing every year, a constant stream of compromised passwords finds their way to the dark web for purchase and use. This should NOT be a surprise. 80% of breaches involved stolen or misused credentials1. And this makes sense … why use advanced attack techniques when stealing credentials and assuming user identities is easier, less detectable, and still works?
Stealthbits leverages the “Have I Been Pwned” breach password dictionary within StealthAUDIT and StealthINTERCEPT Enterprise Password Enforcer to search for the existence of and proactively prevent the use of over 500 million passwords from being used inside our customers’ Active Directory environments. As of Friday, June 19th, Troy Hunt – the dictionary’s creator and curated – added 17.3 million more bad passwords to the list, bringing the total to 572 million known bad or compromised passwords.
National Institute of Standards and Technology (NIST) Password Guidelines
“…it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.”NIST Special Publication 800-63B
Any of Your Passwords on a Breached List?
It is hard to know if your organization’s credentials are at risk if you don’t check! With over 17 million new ones you not only want to check current passwords but also use the HIBP database to prevent any of the 572 million compromised passwords from being used today or any time in the future.
Same Old, Same Old?
While some password favorites are seen repeatedly…
- “123456” has been seen 23+ million times, and I’m amazed at how many still try and use it
- “p@ssw0rd” & “P@ssw0rd” have been used over 53 thousand times respectfully
…maybe more importantly are the ones that are seen less frequently…
- 90% (515 Million) of passwords have been seen 6 or fewer times
- 95% (544 Million) of passwords have been seen 11 or fewer times
- 99% (566 Million) of passwords have been seen 40 or fewer times
It’s easy enough to write rules to detect or exclude the most common 4.6 million passwords seen more than 50 times. Unique passwords that comprise over 99% of the database and are excellent for offline attacks. 34% of respondents said they share passwords or accounts with their coworkers2. 62% reuse the same password for work and personal accounts3. This means a breach at Gmail, LinkedIn, Sony, Home Depot, etc… can expose your user’s corporate passwords and more likely if the passwords are shared.
Stealthbits Can Help
Both StealthINTERCEPT and StealthAUDIT can leverage the “Have I Been Pwned or HIBP” breach dictionary. StealthAUDIT inspects the current set of AD passwords to see if any compromised ones are in use. Then StealthINTERCEPT prevents any new compromised passwords from even being used. Passwords are still the first line of defense against cyber-attacks, so it’s important to ensure your users are employing good ones.
In addition to checking passwords against a breach dictionary, Stealthbits can also:
- Educate users why their password choice fails and how to fix it
- Test new password policies to identify problems before production rollout
- Detect password reuse within the organization
- Control character substitutions because attackers can just as easily replace letters with symbols
- Highlight settings that impact credential security
- Integrate and share with other security systems (e.g. SIEM)
- StealthINTERCEPT Enterprise Password Enforcer Webpage
- StealthINTERCEPT Enterprise Password Enforcer Datasheet
- Request a Demo or Trial of StealthINTERCEPT of StealthAUDIT
For fun, let’s take a look at the most popular passwords and how often they are used. Do your users leverage any of these?
|Clear Text Password||Hash||Number of Occurrences|
Damon is the Director of Product Marketing at STEALTHbits responsible for Active Directory and Privileged Access Management solutions. He has over 20 years of experience addressing marketing challenges of all kinds for many notable, B2B software companies, including Red Hat, Quest Software, Sterling Commerce, and most recently SecureAuth. Damon has a passion for cybersecurity software and improving the defenses of organizations against cyber-attacks. Damon resides in Columbus, Ohio.