The National Cyber Security Centre (NCSC) and HaveIBeenPwned have jointly released a list of the top 100,000 passwords out of a list of 551 million passwords found in breached data sets. That is, out of the 551 million+ passwords that have been found in breached data sets, these are the 100,000 most frequently encountered. These are the 100,000 worst passwords you could possibly use.
551 million passwords. That's staggering number. What's even more staggering is that the most popular password is 123456. Really? In 2019, the most frequently used password is still 123456? What's wrong with people? Here's the top ten most frequently used passwords:
There is no excuse for using passwords like this. At all. To use passwords such as these means the user is lazy. Lazy users cut security corners because it is easier than doing it properly. Do you want your staff to cut corners or do you want them to take the security of your network seriously?
Lazy users will use the same password in many different systems because they can't be bothered to remember more than one password. That means if their password is breached on some other site - and 551 million breached passwords gives proof positive that this happens - then their password to your IT resources has also been breached.
Enforcing a password policy is not a difficult step. Enforcing complexity rules is simple. You don't have to allow your staff to put you at risk like this.
What makes passwords secure is using a passphrase of words separated by either numbers or punctuation. That increases the complexity to the point that password cracking programs cannot crack them in hundreds or thousands of years. A phrase like fifty.silent.moorhens is many orders of magnitude more secure than lazy passwords and passwords that substitute numbers for letters.
Letter substitution forces the password cracking software to increase the effective size of the alphabet that it uses, by including the digits from 0 to 9. That's all. It doesn't make it more difficult for the password to be cracked.
The software knows that sometimes a "4" is used for an "A", and "3" is used for an "E" and so one. It adds no extra security at all, while nimble.squid.broth would take forever to crack, is faster to type and easier to remember.
And your staff will also be able to remember their passwords because there is no point in making them change their password frequently.
This is what Microsoft say about regularly changing passwords: "Periodic password expiration is an ancient and obsolete mitigation of very low value". It's the choice of password that matters.
Forcing lazy users to change their passwords every three months means they choose another lazy password. Whenever their account is attacked, in this three months or in the next three months, they'll still be using a lazy, easy password and making the cyber criminal’s life easier.
And the NCSC agree: don't change passwords regularly, it adds nothing to the security of the network.
You shouldn't base passwords on anything that someone might guess, know or be able to winkle out of you, like your favourite football team, favourite band, your children's names or the type of car you drive.
Out of interest I poked around in the bad password database and found these football teams, groups, names and car brands were present with these frequencies.
And if a Chelsea supporter arrives at your premises for an interview in a Ford, with Abba blaring out, and they have children called Thomas, Toni and Charlie, you probably don't want to employ them. Or employ them but keep them away from your network.