Simply put, a password deny list is a list of passwords that your users are prevented from using when they set their password.
According to CyberNews, the top 10 most commonly used passwords are (drum roll, please):
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
When I saw this list, my jaw dropped. I am amazed that it is 2021, and users keep using these predictable passwords. Everyone seems so afraid of getting their digital identity stolen, yet they don’t even bother to ensure that their passwords are hard to guess. A password deny list would include these commonly used passwords to prevent users from utilizing them.
Bad actors out there know of this list. They love it when users use these passwords. Simple, easy-to-guess passwords can make their job painless. In fact, there are two types of attacks that count on users using these incredibly simple passwords: dictionary attacks and password spraying.
Dictionary Attacks
Dictionary attacks run through a list of well-known passwords or phrases in an attempt to find a match to get into a user’s account. The list was once based on words in the dictionary, thus it is called a dictionary attack, but today the attacker is more likely to use a list of commonly used passwords such as the top 10 listed above. There is even software available to mix and match common combinations such as a birth year and someone’s name. CyberNews found that 1987 and 2010 are the most common years used in passwords and Eva and Alex are the most common names.
Password Spray Attacks
Dictionary attacks are often automated and try many passwords against the same user account. By setting limits on how many times a login attempt can be made these types of attacks are often blocked to a certain extent. Password spraying, however, is a bit of a simpler approach. The bad actor tries just a few known passwords at a time against any given account, thus avoiding login attempt lockout settings. This type of approach can be done by someone who isn’t even technical because they can manually try a few common passwords at a time and move on to another account.
Best Protection Plan
Adding in a password deny list can provide additional security by preventing the attackers from getting past a simple password login flow in the first place. OneLogin’s Password Deny List, introduced in our Summer 2019 quarterly release, provides partial matches so you can include the word “password” and it will catch variations such as “password123” or years such as “2010” and it will catch any passwords that include “2010.”
Keeping your password deny list as up to date as possible with the passwords identified in the CyberNews study is a great place to start. This could be thousands of passwords that you would need to ensure are entered and kept up to date. In fact, UK’s National Cyber Security Centre (NCSC) recommended blocking up to 100,000 of the most commonly used passwords to a password deny list. An easier option would be to enable a feature like OneLogin’s Compromised Credential check which is part of OneLogin’s SmartFactor add on. This is basically a dynamic password deny list. When you enable this feature all passwords that users provide are checked against a list of known compromised passwords, passwords that have been captured when bad actors steal credentials from other systems. This list is kept up to date and maintained by OneLogin. Whether you choose to implement and maintain your own password deny list or look to OneLogin to maintain it for you, it is imperative that you prevent your users from using any of these simple, easy to guess passwords.