Troy Hunt, the founder of Haveibeenpwned came out with some brand new numbers that show there's bad news and there's more bad news.
A few months ago he launched V2 of his Pwned Passwords list (half a billion of them) and the idea is to make them into a blacklist, as per the recent NIST guidance:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers (or users) use that password!
But he always wondered - what sort of percentage of passwords would this actually block? I mean if you had 1 million people in your system, is it a quarter of them using previously breached passwords? A half? More?
And then he got his hands on a new 6.8m-record data breach from a site called CrashCrate and he could do the math:
86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.
He concludes that traditional password complexity rules are awful and they "must die a fiery death", also because bad guys are more and more into credential stuffing where they are grabbing huge stashes of username and password pairs from other data breaches and seeing which ones work on totally unrelated site.
Employees Reuse Them All The Time
Despite heightened awareness of the security implications many users still continue to reuse passwords and rarely if ever change them, a LogMeIn survey shows.
A new survey by LastPass by LogMeIn of some 2,000 individuals in the United States, Australia, France, Germany, and the UK has revealed what can only be described as broad apathy among a majority of users on the issue of password use.
Though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway. For 61%, it is the fear of forgetfulness that was the primary reason for password reuse. Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time. More at DarkReading about this new study.
Only 55% Of Users Would Change Passwords If They Were Hacked
Lastpass research revealed that password behaviors remain largely unchanged from earlier studies two years ago, and many remain in denial that their accounts are even at risk. Even scarier? These habits (or lack thereof) and beliefs are the same whether used for personal or work accounts. More at TechRepublic.
KnowBe4 has just released a brand new training module called Creating Strong Passwords in 20 languages, here is the list and you can see all of these for yourself when you go and browse the ModStore, more below.
The world's largest library of security awareness training content is now just a click away!
In your fight against phishing and ransomware you can now deploy the best-in-class phishing platform combined with the world's largest library of security awareness training content; including 500+ interactive modules, videos, games, posters and newsletters.
Want to see all our great security awareness training content?
It’s easy! You can now get access to our new ModStore Preview Portal to see our full library of security awareness content; you can browse, search by title, category, language or content topics.
The ModStore Preview Includes:
40 e-learning modules
16 compliance modules
83 3-5 min videos
26 interactive security-trivia games
265 pieces of artwork & newsletters
Preview the ModStore Now!
(you'll be pleasantly surprised)
Related Pages: Security Awareness Training