So we set out to make a Password Blacklisting service that was “obviously secure.”  A password screening service that had no possibly of ever knowing the password choices involved.  Or the username associated with the password.  Or even the customer sending the query.  A service where customers did not have to extend any trust or sacrifice any security to use the service.  This is what we built at Password RBL.  But the industry came up with a concise way to describe such a service:  “zero-trust.”

For additional details, follow this link to read about how Password RBL’s architecture truly is zero-trust.

TL;DR: Password RBL was “zero-trust” before it was cool.

The post Zero-Trust Before It Was Cool appeared first on Password RBL.

Password RBL Unaffected by Log4j Vulnerability

Password RBL is not impacted by this log4j vulnerability because Password RBL does not utilize this library in any systems.

This should not be surprising, since Password RBL has a zero-logging policy.  Thus, Password RBL has no need for a code library that provides advanced logging services.  But it is important for subscribers to know that Password RBL is unaffected by this recent vulnerability and continues to be a secure and easy way to prevent bad passwords before they happen.

Update on Additional Vulnerabilities

Since the original positing of this statement, additional vulnerabilities in the log4j library have been disclosed.  Password RBL remains unaffected by these additional vulnerabilities as well, since Password RBL does not utilize the log4j library at all.

Not a customer?

If you are not yet a customer of Password RBL but are interested in better passwords for your organization, then follow this link to learn more and read about why our zero-trust solution for better passwords really is secure.  Our solutions are easy to use and subscription costs are very reasonable.  Subscribe today!

The post Password RBL Statement on Log4j Vulnerability appeared first on Password RBL.

MFA

As we know, Multi-Factor Authentication (MFA) is a great way to combat potential account takeovers or just general bad password hygiene.  Even when MFA is used, Password Blacklisting still makes sense.  But if MFA is not in use, then Password Blacklisting is an absolute must!   Unfortunately, the report found that 52% of people have never heard of MFA.  This makes enforcing strong passwords even more important.  But why is this?  Well, 64% say they have no access to MFA, and another 10% say they do have access MFA, but choose not to use it.

Responsibility

Additionally, the data indicates a significant proportion of people simply do not see themselves as responsible for looking after their workplace’s sensitive information.  Over a third (40%) of the full-time and part-time employees participating in this report considered themselves to be the least responsible agency for their organization’s cybersecurity.  That means that nearly half of your employees don’t think it’s their responsibility to choose a strong password!  This statistic is alarming and makes the case for all businesses to deploy Password Blacklisting in order to prevent users from choosing poor passwords.

Passwords

Speaking of passwords, the report also discovered some alarming, but simultaneously not surprising, statistics on real-life password behaviors.  Only 43% of participants reported creating long and unique passwords for their online accounts “very often” or “always”. However, almost a third (28%) stated that they didn’t do so.  A third of real-life users are knowingly choosing weak passwords!  That’s a big number!

But about the more middle-of-the-road, average password behavior.  It’s still not great.  A majority (58%) of the respondents say they only “sometimes” (30%), “rarely” (18%), or “never” (10%) create long (12 character) and unique passwords.  This is probably because use of a stand-alone password manager application, which would create these long unique passwords, was uncommon, with almost half (49%) of the participants noting they ‘never’ or ‘rarely’ used one.

Not Great.  But What To Do?

The full Cybersecurity Attitudes and Behaviors report (available here) contains lots more information and statistics.  But even with just the few takeaways mentioned above, it’s clear that more work needs to be done.  Deployment of Multi-Factor Authentication would absolutely help, but by 2021, the reason MFA isn’t completely pervasive is because of many real-life problems, including end-user adoption woes, cost to the business, supportability, and definitely incomplete deployments since businesses commonly support legacy systems which have no concept of MFA – or anything other than usernames and passwords, really.

Enter Password Blacklisting – the incredibly affordable and easy to use solution to the bad password problem.  Password RBL has drop-in support for Microsoft Active Directory (and anything linked to AD) and a dead-simple API that can be incorporated into basically anything else.  The return on investment (ROI) of a subscription to Password RBL makes deployment an easy choice – for IT and decision makers.  See our solutions in action and request a free quote today!

The post Cybersecurity Attitudes and Behaviors Report appeared first on Password RBL.

Pipeline Problems

In May 2021, a password-based hack of Colonial Pipeline Co. took down the largest fuel pipeline in the U.S. which led to fuel shortages all across the East Coast.  It was a single compromised password that allowed the attackers to completely shutdown the company and cause devastating downstream affects, including a run on fuel, higher fuel prices, but also a data breach of customer information as well.  If the company had just implemented Password Blacklisting, the poor password choice would have been caught and prevented from use in the first place.  No MFA required.

Supply Chain Problems

Of course we all remember the Solarwinds hack from late 2020.  Again, a single compromised password, “solarwinds123”, was found in data breach data from 2019.  The company’s poor password hygiene allowed a user to choose such a terribly crafted password.  And it doesn’t matter if it was an intern, manager or leader.  A single compromised account spells disaster.  And in the case of Solarwinds, it was not only disasters for Solarwinds, but all of their downstream customers, too.  Once in the Solarwinds network, the attackers were able to change the code of their product, granting access to any Solarwinds customer who installed the latest version – and there were some big customers hit by this, including numerous departments of the US Government and many Fortune 500 companies.

A Simple Solution

The easiest and most cost effective way to combat these types of attacks is to deploy Password Blacklisting.  It’s incredibly easy to do – much easier than deploying MFA.  There isn’t even a requirement to change end-user behavior or provide training.  A subscription to Password RBL is incredibly inexpensive and easy to deploy, adding another layer to your companies security stack.  Check out our solutions and request a quote today!

The post Password Attacks Continue to Cause Major Problems appeared first on Password RBL.

Reason 1 – Exceptions

First off, it is very common that when MFA gets implemented, there will be exceptions for systems/services that just do not (yet) support MFA.  Each of these applications/services are holes in your organization’s security and attackers will find them.  Most MFA rollouts have at least one of these apps/services that still rely on classic username and password authentication.  As many organizations found out the hard way in the summer of 2020, MFA is great, but if your company VPN solution doesn’t use/support it, then very bad things can happen.  Attackers can log into the company VPN, impersonating a real company user.  Once attackers have direct access to the interior of company networks, it is as if the bad guys are freely roaming the isles of the company datacenter.  Nothing good becomes of that!

Reason 2 – MFA Bypass

Another great reason to keep password blacklisting around is that as the prevalence of MFA deployments increases, attackers are changing their ways and are figuring out how to bypass MFA altogether.  There have been numerous high-profile MFA-bypasses in the past year.  A quick google search shows reports on many of them.  But the most disastrous MFA bypass has to be the Solarwinds supply-chain attack announced in late 2020.   In order for the attackers to gain access to the source-code of Solarwinds’ popular Orion platform, they first had to bypass the MFA that Solarwinds had deployed.  Spoiler alert, the attackers were able to bypass Duo MFA and injected malicious code into the Solarwinds source.   The Cybersecurity and Infrastructure Security Agency (CISA) in the US issued an advisory about attackers combining numerous different attack methods, but notably, MFA bypasses.

The Bottom Line

The answer is clear: you should deploy both Password Blacklisting and Multifactor Authentication.  MFA deployments can stress the budget, but whereas the cost for a Password RBL subscription is quite reasonable.  If you do not have the budget for MFA, then Password RBL blacklisting is a perfect first step – providing an effective addition to your security makeup and fantastic ROI.  And if you do already have MFA deployed (or the budget to do so), then you can inexpensively add Password RBL blacklisting for a fraction of the total cost.  Either way, Password RBL is for you!  Check out our Packages for Small & Medium Business or request a free quote if your organization is larger.

The post Got MFA? Good. But You Still Need Password Blacklisting appeared first on Password RBL.

The attack is quite simple.  A regular end-user has a bad password.  Attackers can figure this out in the typical manner – a password spray or credential stuffing attack.  Once they know the credentials for a user account, the attackers perform a scan of the companies public infrastructure to find the VPN device.  They log into the VPN with the compromised credentials and now have direct network connectivity. The attacker uses this recent Netlogon vulnerability to gain SYSTEM level permissions on the domain controller which means that can basically do anything they want after that, because they can create a new Domain Administrator account.

And now with a Domain Administrator account in hand, the attacker can trigger a very thorough crypto-malware attack across the entire organization.  Ransomware with the reduced privileges of a normal end-user account is bad enough.  But ransomware from a Domain Administrator can be debilitating.  Not only can it encrypt important company data, but also system files which can bring down every Windows systems.  Most companies have good backups of servers.  But most companies do not back up workstations.  It could take weeks or months to rebuild or replace all the workstations.

Obviously, organizations need to follow Microsoft’s guidance on patching this vulnerability as soon as possible.  But there has been similar vulnerabilities before, and there will surely be similar ones in the future.  So, organizations should also deploy Password Firewall for Windows to prevent the use of bad passwords that lead to account takeover and much, much worse.

The post Bad Password + Zerologon = Ransomware appeared first on Password RBL.

Basic Findings

Out of the 1 billion credentials analyzed, there were only 168.9 million unique passwords in the list.  This means there is a startling amount of password reuse – bad password reuse.  Password RBL specifically blocks these poor and reused passwords.  This prevents Account Takeover Events by preventing users from, knowingly or inadvertently, choosing the passwords that hackers already know and use in password-based attacks.

The most popular password was “123456” – a truly horrible password choice, as this password (or similar ascending numerical variants) has been in the top 10 worst password choices for years now.  In fact, it was so popular that it was 1 out of ever 142 passwords in this dataset!  This password has been blocked by Password RBL since the very beginning of our service.

Password Complexity

Of all the unique passwords in the list, 28.79% were comprised of letters only with 26.16% using lowercase letters only.  Sadly, 13.37% of the passwords used only numbers, which is terrible since there are only 10 characters in the numeric alphabet, making brute-force of numeric-only passwords far easier.  And finally, only 2.04% of the passwords used special characters.

Password Firewall for Windows, specifically addresses password complexity with the Minimum Character Sets Required option.  This allows administrators to choose how many character sets must be present in password choices.  It doesn’t require a specific number of characters from each character set, because it’s only important that the passwords have at least one character from the specified number of sets.

Interestingly, 34.41% of the passwords analyzed ended in a numeric digit (but only 4.52% began with a digit).  This is exactly why Password Firewall has the Password DoubleCheck feature.  It will drop any digits at the end of a password choice and then re-query the Password RBL database with the resulting (truncated) password to see if the end-user has chosen a bad password, but simply added a digit to the end.

Password Reuse

There is plenty more evidence of the bad password reuse happening.  Unique passwords, that are found only once in the dataset, make up only 8.83% of the dataset.  The top 1,000 most common unique passwords from made up 6.61% of all passwords in the dataset.  The top 1 million most common passwords comprised 36.28% of the dataset.  And the top 10 million most common passwords made up 54.00% of the entire dataset.  So an attacker cracking a password database (that did not use password blacklisting) with a wordlist of only the 10 million most common passwords, has a better than 50/50 chance at cracking each password.  This is why password blacklisting is so necessary.

There is diminishing returns in brute-forcing with a larger datasets.  Brute forcing attackers obviously don’t need to.  But, we go even farther at Password RBL.  Our highly curated database currently has over 75 million of the most commonly used bad passwords and is growing every year.  Additionally, we provide a conduit for our customers to simultaneously query the Pwned Passwords database as well.  There is a large overlap in our databases, especially at the top end of the most commonly used bad passwords.  But it is a fairly safe assumption to say that this provides protection from over 500 million bad password combinations, which is more than the total number of unique passwords from this latest analysis.

Conclusion

This analysis confirmed alot of what Password RBL has known for a long time.  People reuse passwords, alot!  And the passwords they are reusing are common and well-known at this time.  These are the passwords you do not want your users or customers using on your network or app/service.

Password RBL provides an easy way to block these bad passwords as well as any custom passwords you want banned, too.  We even provide statistics so you can know if your users are getting better at choosing passwords.  And best of all, subscriptions are inexpensive so organizations of any a size can afford this effective base-layer of security.

The post A Billion Passwords Analyzed; Password Firewall Protects You appeared first on Password RBL.

Password spraying is when attackers simply guess the passwords of known accounts using a list of common passwords.  It is a crude, brute-force method, but can be incredibly effective when the target businesses don’t employ the necessary defenses.

The worst part of a password-based attack is when it is successful.  It is possible to detect while the attack is happening (for example, there more authentications per time period than expected), but it is nearly impossible to detect when an attacker successfully logs into a target account.  This is because that login event “looks” just as legitimate as the actual account owner using the same credentials to log into the same account.  In fact, Citrix did not even realize hackers were actively breaching their network.  The FBI contacted Citrix in March, 2019 to inform them that they believed the cyber-criminals had gained access to Citrix’s internal network.

Because these unauthorized logins do not raise any alarms, the Citrix attackers were able to continue logging into the victim accounts and root around the inside of Citrix’s corporate network for five months!  They have plenty of time to discover the interior systems and data layout and thus, were able to make off with a swath of proprietary data, social security numbers and other personal identity data, as well as payment card information.

To prevent such an attack, all Citrix needed to do, was employ Password Blacklisting.  Yes, Multi-Factor Authentication (MFA) is an effective defense against password-based attacks, too, but there are commonly many reasons MFA doesn’t get deployed [everywhere] including, cost, complexity, incompatibility, end-user training, and more.  But Password Blacklisting is simple, affordable, best yet, incredibly effective.

Password RBL has solutions for all size customers, are super-easy to deploy and use, and provide the power of 3 password blacklists.  Get started today – costs are typically just a few dollars per user per YEAR (yes, per Year, not per month).

The post Password-based Hack of Citrix appeared first on Password RBL.