Skip to main content

Why Banning Just Passwords Isn’t Enough

Password blacklists are receiving considerable attention. It’s clear why: weak and compromised passwords are a factor in nearly all hacking-related cybersecurity breaches. Best practices from NIST require organizations to disallow the use of any common and compromised passwords. And several cyber security companies offer password blacklists for this purpose.

But authentication requires a username and password combination, so shouldn’t we screen against compromised username password pairs instead of just compromised passwords?

Username and Password Combinations Are the Target

The hacker’s ultimate objective is to discover a valid username and password combination. There are many password-guessing methods. They are more successful for hackers when people select easy-to-guess passwords. But hackers still need to figure out which password was chosen for a targeted username.

But when attackers can find passwords and usernames together, their work is already done for them. That makes an exposed username and password pair the most critical security vulnerability. If hackers can obtain full credentials, they don’t need to orchestrate a password guessing attack or bother cracking passwords. Instead, they can just log in. 

There are new full credential pairs leaked every day. So the likelihood that your employees’ exact credentials are compromised increases over time. Unfortunately, most people don’t have any way to know if their full credentials are already compromised. But hackers do know. A visit to the Dark Web illustrates what’s happening.

Hackers Are Not Limited to Password Lists

The Dark Web is understood as a source for password lists. Lists of common passwords designed for password spraying are traded, sold, and rated for effectiveness. In addition, large cracking dictionaries made to reverse hashed passwords back to clear text are up for sale.

While these types of password lists are regularly posted on the Dark Web, lists of full credentials are seen far more often. These are massive combo lists with username and password pairs compiled from many sources. But even more common are exposures of usernames and passwords attributable back to specific compromised servers and sites.

The critical point here is that hackers often aren’t starting with passwords. Instead, they start their attack with full username and password pairs. Given the number of data breaches every year, finding some username and password combinations for almost any target is easy.

Even if these credentials are from 3rd party sites, they can jeopardize your organization’s security today. This is because most people apply only slight variations or reuse the exact credentials on multiple accounts. As a result, hackers have a good chance of easily getting the password of at least some users in your organization, even if these users aren’t using a common password.

Banned Password May Not Be Enough

So why are we blacklisting only passwords? You could argue that a password blacklist can block any compromised username-password pair. That could be a valid point if every leaked password for each user is included. But most of the generally available password blacklists are far more limited. Most are designed only to prevent the use of the most frequently seen passwords.

An often-referenced source for banned passwords is Troy Hunt’s Pwned Passwords. It’s free but far from a comprehensive list. It provides a fraction of leaked passwords available from commercial services with dedicated professional threat researchers focused on the task. Without a more complete list, there is no chance of preventing a previously exposed username-password pair.

Some banned password services don’t even try to collect exposed passwords at all. For example, Microsoft offers a Global Banned Password List, but it is only generated from its own telemetry. That means Microsoft’s Azure Password Protection doesn’t attempt to collect passwords from 3rd party data breaches. This is another free service, so its scope is understandably very limited.

Banned password lists are still valuable. There is always a need to block the most common and easy-to-guess passwords. A limited list may be sufficient if your only concern is password spraying. This is a type of attack where a small list of common passwords is attempted for a large set of users. However, password spraying is only one of many credential attack methods. Attackers can do real damage when they can obtain full compromised credentials.

How To Protect Against Hackers Using Full Credentials

To prevent compromised credential attacks, organizations must know which username and password pairs are compromised and have methods to keep them out of their environment. 

There are three parts to this effort.

  • Organizations need to prevent the reuse of compromised username and password pairs. This is important even when the user has selected a unique password. This requires more than limited banned password lists. There needs to be a way to detect all compromised username and password pairs. There should be no justification for allowing a username and password pair that is exposed.
  • Processes are required to continuously monitor and detect when an existing username and password pairs become compromised. The list of the most popular common passwords does change eventually over time. But new exposures happen every day, meaning the database of unsafe username and password pairs changes rapidly. It’s insufficient to wait for a password expiration to re-check credentials against new data breaches.
  • Policies need to define the immediate actions taken when a username and password become compromised. Because it is a more critical vulnerability, a more aggressive response is recommended. NIST suggests not requiring passwords to be changed unless there is evidence of compromise, such as in this case. Finding a username and password pair that is compromised would warrant immediately resetting the password or even disabling the account.

Conclusion

There are many types of password attacks. Password guessing attacks are successful because most people make poor password choices. As NIST requires, organizations need policies that prevent the use of common, easy-to-guess, or previously compromised passwords. However, banned password lists are generally not designed to protect well-chosen username and password pairs. Adequate password protection needs to go beyond banned password lists and detect when the full username and password pair has become exposed.