Skip to main content

Back to Blog

Password Blacklists: Do They Provide Enough Protection?

A recent InfoSecurity Magazine article on password security posed a critical question, “A password blacklist should contain all of the passwords that a hacker will use to gain access to a system, but how many is the right number?”

The answer is impossible to quantify as numerous breaches occur on a daily basis and newly compromised credentials are posted to the Dark Web with similar frequency.

To illustrate the problem, one company we spoke with discovered that 4% of its uncompromised credentials became compromised within one month—and this happened month over month.

Why can static blacklists be less useful than you realize:

  • Some organizations download static blacklists that are only updated with new threat intelligence sporadically – some only a handful of times each year.
  • Additionally, some of the sources of those static password blacklists are operated by one-person organizations and many organizations need a source that is more dependable.
  • This type of static blacklist will include common passwords, but they don’t typically include cracking dictionaries which full dictionary word lists and the actual patterns used by hackers.
  • The isolated use of a static blacklist would fail to include context-specific passwords like your company name or product name with all the permutations and character substitutions considered by hackers.
  • These lists do not account for fuzzy-password matching, leet-speak variations, and do not compare new passwords to your previous passwords (aka similar passwords.)
  • Because these lists are not comprehensive, they may miss regionally popular passwords in favor of globally popular passwords.
  • And because these lists often have to be manually downloaded to access the new information, updates are often overlooked. This leaves a very large attack window open to bad actors.

Employees often unknowingly utilize compromised credentials and every day brings new leaks and exposures it’s clear that static blacklists are no match for today’s heightened threat landscape.

With this in mind, password blacklisting is a good start, but it is only a partial solution for securing passwords.

Why a Continuously Refreshed Database is Crucial to Password Screening

Enzoic offers organizations another approach. Our solutions check password security in real-time against our proprietary live database of billions of exposed username and password credentials. Offered as an Active Directory plugin, our technology ensures sensitive data is protected without introducing unnecessary friction into the user experience, with continuous password checking.

Of course, it’s not enough to simply screen passwords at their creation. As the statistic above underscores, it’s highly likely that a previously secure password could become compromised down the road. As such, Enzoic checks passwords on a daily basis to ensure their security and to alert companies to take action in the event of exposure. As a result of these capabilities, Enzoic is an exposed password screening solution that can meet NIST 800-63b requirements for real-time screening at set-up and continuous monitoring for new vulnerabilities.

Screening passwords against a blacklist is a critical step in ensuring enterprise security. But to truly be effective, it’s essential that companies move beyond static lists and check passwords daily against a live continuously updated database. Cybercriminals will never rest in their attempts to infiltrate sensitive accounts, and your password screening solution shouldn’t either.

The only way to truly protect passwords—and the sensitive data to which they enable access—is by screening passwords against a database of exposed passwords that is updated daily.


Read more: