Troy Hunt, the founder of Haveibeenpwned came out with some brand new numbers that show there’s bad news and there’s more bad news.
A few months ago he launched V2 of his Pwned Passwords list (half a billion of them) and the idea is to make them into a blacklist, as per the recent NIST guidance:
“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected or compromised.”
In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don’t let your customers (or users) use that password.
But he always wondered what sort of percentage of passwords would this actually block? I mean, if you had one million people in your system, is it a quarter of them using previously breached passwords? A half? More?
And then he got his hands on a new 6.8m-record data breach from a site called CrashCrate and he could do the math:
Eighty-six percent of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.
He concludes that traditional password complexity rules are awful and they “must die a fiery death,” also because bad guys are more and more into credential stuffing where they are grabbing huge stashes of username and password pairs from other data breaches and seeing which ones work on totally unrelated site.
Employees Reuse Them All the Time
Despite heightened awareness of the security implications many users still continue to reuse passwords and rarely if ever change them, a LogMeIn survey shows.
A new survey by LastPass by LogMeIn of some 2,000 individuals in the United States, Australia, France, Germany and the UK has revealed what can only be described as broad apathy among a majority of users on the issue of password use.
Though 91 percent of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59 percent said they did so anyway. For 61 percent, it is the fear of forgetfulness that was the primary reason for password reuse. Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time. More at DarkReading about this new study.
Only 55 Percent Of Users Would Change Passwords if They Were Hacked
Lastpass research revealed that password behaviors remain largely unchanged from earlier studies two years ago, and many remain in denial that their accounts are even at risk. Even scarier? These habits (or lack thereof) and beliefs are the same whether used for personal or work accounts. More at TechRepublic.
