Skip to main content

Back to Blog

Password Blacklists: Applying the Goldilocks Principle

One of the most effective ways to increase the strength of your network’s security is to screen users’ passwords against a list of dictionary passwords and known compromised passwords. Password vulnerabilities remain a major entry point for hackers. Over the last few years, password policy has evolved in significant ways. NIST password guidelines now indicate that using a password blacklist is critical to network security. However, many organizations struggle with questions about how long and what should be included in the blacklist.

Not long enough?
It used to be the case that it took hackers a long time to use brute force to crack passwords. Now, attackers can guess thousands per second. Using a list that contains just the top 10,000 most commonly used passwords is hardly a defense against this type of threat. Statistically speaking, the more passwords on a blacklist the better. However, adding every possible password has downsides to consider.

When the list is too long
Suggestions for curating a blacklist can quickly spiral to a mistaken conclusion that the list should have every conceivable password on it. But such a list would actually not solve the security issues at stake. If your list contains too many passwords, it may be too difficult for users to find a password. When users experience this type of frustration, it causes both users and IT to adopt predictable patterns of behavior and often ends in weaker security practices.

Even the time it takes to evaluate the passwords becomes a factor. For example, if it takes thirty seconds or more to evaluate a password candidate, it becomes impractical to check passwords when they are being created. Checking during the password creation process is an explicit NIST recommendation.

A properly designed system can check billions of passwords in milliseconds, so the user experience is barely affected. It may also be useful to segment the blacklist into exposed passwords found in contemporary data breaches, and those commonly found in cracking dictionaries. Having both of these lists available means you can control even more aspects of the service.

Static vs Updated
When it comes to compromised passwords, timeliness may be even more important than size of this list. Data breaches occur every day and new leaked credentials are constantly being exposed. Hackers always look to use the most current exposures, so effective defense requires staying current.

Most of the free lists are static lists, meaning that they are not updated regularly, or with any particular response to data breaches. For this reason, static blacklists aren’t sufficient.

Context Specificity
It’s also not sufficient to use a blacklist that doesn’t consider factors like “context” in terms of your geography, your company and users themselves.

This may mean creating a custom list, or dictionary, of passwords to screen against. Tailoring your blacklist to specific users by including relevant username, email address and name information that needs to be considered, can greatly decrease the likelihood you’ll be hacked

A blacklist can also be reasonably tailored geographically simply by including the data breaches from those regions. A blacklist that only uses a subset of the top passwords in the United States for instance, would miss important passwords.

“Just Right”
In terms of the actual number of passwords on the list, we are constantly seeking the sweet spot. Not too short, not too long — but ‘just right,’ like the useful lesson from the tale of Goldilocks and the Three Bears. Aim for an ever-evolving blacklist that definitely includes more passwords than just the top 10,000 weakest options. The more relevant, context sensitive, and frequently updated your blacklist can be, the better.