What Is a Password Blacklist and How Is It Serving You?
Cybersecurity might be developing in great leaps, but at the end of the day, we still employ passwords as the most common authentication technique. An individual user has to deal with tens (or maybe an entire hundred) of passwords, but if you’re managing a corporate system, password security suddenly becomes an even more vital part of your business.
There might be many ways to improve your cybersecurity practices, and today, we would like to talk about password blacklists. Password blacklists might not be a fail-proof method to improve your cybersecurity, but it is definitely a decent crutch any business should consider.
What is a password blacklist?
The name is probably rather self-explanatory. A password blacklist refers to a list of passwords that a cybercriminal is very likely to use when they try to access your system. What kinds of passwords are included in the list?
Well, it’s easy to tell that the most common passwords are definitely part of the password blacklist. In fact, everyone should be aware at least of the top 10 of the most common passwords because using these combinations to “protect” an account or a system is a straight way to a cyber hack. However, there’s a lot more to such lists than just common passwords, and that’s what users have to keep in mind if they want to employ password blacklists.
Perhaps the hardest question to answer in relation to this practice is how many passwords there supposed to be on the list for the list to be reliable? And the truth is that there is no exact answer here. Some security experts suggest anywhere between a million or two million passwords, but the list cannot be static because the number of cracked or compromised passwords is growing every single day, and they should be included in the list, too. Not to mention that most of those lists are managed by one-person companies, and it is physically impossible to update them immediately.
Passwords to include in your blacklist
If you decide to employ a password blacklist, the most logical decision would probably be coming up with your own custom blacklist. Of course, this works if you have enough resources to work on it, but if you can afford it, that’s definitely something we recommend. After all, any company will have context-specific passwords (related to that particular system and the particular business), so creating your own blacklist and regularly updating it would most certainly improve your system’s security.
The most common passwords surely have to go on that list, and if you can, you should encourage your security team to go through multiple static password blacklists to include as many cracked passwords on your list as possible.
Also, to improve the quality of your blacklist, you have to know how hackers work to reach vulnerable systems. Aside from using the most common passwords, they also employ password cracking dictionaries that include word lists and various password combinations that can be used to crack multiple systems. Make sure you include those dictionaries on your list, too.
What’s more, let’s not forget the context-specific passwords that will be applied only at your company. For instance, if you include the name of your company or your product in the passwords that you use, it is a lot easier to guess them. Hence, such passwords should also be included in the list.
Aside from something that is slightly easier to guess, password blacklists should also include potential passwords that are similar to something that you’ve already used. Also, let’s not forget the leet-speak and fuzzy-password matching.
If you have a blacklist employed, your employees won’t be able to apply compromised credentials (as people often do that without really meaning to). Needless to say, it might be hard to maintain and regularly update a password blacklist. For that reason, we would also recommend addressing and employing professionals who would help you keep your blacklist relevant.
What about my actual passwords?
Here you might wonder what happens to your password practices when you employ a password blacklist. For instance, does this mean that you can no longer use context-specific passwords? Actually, yes. It would be for the best if you refrained from using words that are easy to guess because that’s clearly not the best combination of a password.
We do realize, however, that dropping the practice of employing context-specific passwords (for instance, using all sorts of company name and product variations) poses certain inconveniences. After all, it’s really easy to recycle such passwords simply by changing several characters or adding numerals to the passwords that you use. Yet again, renewing your passwords like that put them into the similar password category, and it makes the hacker’s job of cracking your system’s walls a lot easier.
Since you can no longer do that, what would be the best combination of a password? We think that you most definitely know the basics, and you surely understand that a strong password has to be long and random. That is to say, the letters and the numbers should not have any specific meaning that would be easy to guess. Also, whenever you renew your passwords, these complicated and absolutely random sequences should be replaced by similarly long and strong strings of characters.
Now, you might say that it is a pain to maintain such passwords, especially in the business setting, because there are countless accounts that need protection, and with the constant need to renew your passwords, it would be hard to keep track of them. That is, of course, true if you think that you would need to write them down and then come up with unique passwords yourself.
Nevertheless, with the blacklist limiting the scope of passwords you can use and the constant need for new unique passwords, you should definitely employ a password manager to generate new strong passwords and store them under safe encryption. For instance, you can try out Cyclonis Password Manager to see how that works. It is a lot harder to crack passwords generated by a tool that was created to ensure your password safety. Also, a password manager can protect your business by storing all the passwords you and your employees use in its encrypted vault. It is clear that by employing both a password manager and a password blacklist, you would significantly improve your cybersecurity.