The Weekly Hotwash: July 3, 2020

Hotwash passwords NIST

Estimated Reading Time: 3 minutes

This Weeks’ New Commentary on Chronicles of a CISO:

Companies Rush to Implement Identity Systems for Remote Working: An interview I did recently with the Wall Street Journal for the Cybersecurity Pro newsletter around the need for an effective identity management solution to manage the rapid growth of the remote workforce.

Yet another ‘weak password’ study

This week brings us news of yet another study of how users tend to select weak, common, predictable passwords on a continual basis.

A student at Cyprus University, Ata Hakçıl, analyzed over 1 billion publically available breached account/password combinations. Of these 1 billion data elements, there were only 169 million unique passwords and 393 million unique usernames. Yes – you read the right… over 83% of the records evaluated shared common passwords – across users.

If fact, there are quite a few ‘cool stats’ from Ata’s github post:


So, why am I once again jumping up on the soapbox of password management? Well, besides being a relevant news story, the topic has also come up a few times recently on different ‘networking’ calls I’ve had with vendors and other security executives. Many of these folks continue to believe that removing the mandatory password change is a ‘good thing’, for both risk mitigation and use happiness.

As a refresher, back in 2017, NIST published a new version of their Digital Identity Guidelines (SP 800-63) which one of the recommendations was to stop forcing passwords changes at a regular interval. As I’ve written about previously, the argument is that the predictability of a user’s passwords are fairly easy to guess, with the assumption being that, frequent password changes force users to pick statistically similar passwords. According to 800-63, NIST now recommends only forcing the changing a password when there is evidence of it being compromised, however, since most users share passwords between their personal and work accounts, a compromise of a personal account is never reported to the company, leaving a compromised password in the enterprise without anyone’s knowledge.

As if that example was not bad enough, as this new study clearly demonstrates, the entropy of passwords across multiple users is statistically significant enough to cause elevated risk within the environment. According to most industry practices, medium-sized companies have less than 1000 employees. Based on the study above, 835 people in the company have a higher likelihood of having a common password.

While an interesting thought experiment, as we all know, correlation does not imply causation, so lets look at another interesting number from the study.

Of the 169 million unique passwords analyzed, over 6% of them were in the top-1000 most frequently used list. While this is a much smaller number, validating a password against a list of 1000 is a far easier task to accomplish then testing against millions of combinations. While we are only talking about 60 users in our mid-sized company, imagine if you had a way to accurately pick lottery numbers 6% of the time… You’d take that every day.

I think we all agree that the way we currently identify users is a broken control, but making that control weaker is not doing anyone any good. Most of us agree that passwords are the bane of our existence, but we also need to find functional, user-friendly solutions to replace them, not just some window dressing to make ourselves look good.

The Chronicles of a CISO Weekly Hotwash is a recap of critical stories and news that occurred over the past week. The goal is to hopefully share some insight and perspective on how these stories may impact our industry, our careers, or our companies.

Copyright © 2002-2021 John Masserini. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *