Taylor Swift’s Influence on Cybersecurity

A Surprising Twist in 2023

There’s no doubt that Taylor Swift had a wonderfully successful 2023: she made over a billion dollars, broke many music industry records, and was named TIME’s Person of the Year, all cementing her status as a pop-culture icon. Her cultural impact, however, extended beyond the realm of pop music into the unlikely field of cybersecurity.

With her global fanbase, Taylor Swift inadvertently influenced the world of authentication. Fans often choose passwords related to their interests, leading to a surge in Taylor Swift-themed passwords. Unfortunately, factors such as password reuse and compromise by threat actors make them vulnerable to cyberattacks. Here are the top-ten most common ones that were compromised from the past year:

Top Ten Taylor Swift-Inspired Compromised Passwords

1. taylorswift
2. taylorswift13
3. tswift13
4. taylorswift1
5. tswift
6. taylorswift123
7. taylorswift1989
8. taylorswift22
9. swiftie
10. swiftie13

These passwords were collected by Enzoic’s threat research team and included in their continuously updated proprietary data platform to protect vulnerable users and organizations as quickly as possible. Exposed passwords pose a significant risk to organizations, opening them up to attacks from threat actors, such as those attempting to deploy ransomware or steal data for fraud and illegal sale.

The Less Obvious Choices and Their Risks

Interestingly, less common passwords, such as ‘taylorswift13121989’, pose their own security risks. Despite being a theoretically strong password due to its length and complexity, its exposure in data breaches renders it vulnerable. This highlights a critical issue in cybersecurity: the problem of password reuse. Passwords, regardless of their inherent strength, become susceptible to compromise when they are known to hackers or featured on compromised lists. When employees recycle their passwords across various platforms, they inadvertently link the security of their organization to the most vulnerable account they use.

The habit of reusing passwords is a widespread yet hazardous practice. Humans will be humans, and are always seeking convenience, especially when it comes to often-repeated actions like entering passwords. Threat actors can exploit this habit by compromising sites or systems with weaker security postures, then using those passwords to gain access to otherwise secure systems due to the statistical likelihood that at least a handful of user’s credentials involve reused passwords, especially those known to have been exposed and included on password lists.  The immediate risk to seemingly insignificant accounts may appear low, but the actual threat emerges when this one password becomes the key to unlocking far more sensitive and valuable information.

Contemporary Password Protections: A Shift Towards User-Friendly Security

How can organizations prevent their users from reusing the same passwords across all their accounts? While this would be a nearly impossible task, the newest guidelines from The National Institute of Standards and Technology (NIST) in their publication 800-63b offer guidance to combating this risk:

1. Abandoning Arbitrary Complexity: NIST now advises against enforcing complex combinations of characters. Studies showed that such requirements often led to weaker passwords. NIST’s guidelines encourage passwords that users can remember easily without the need for special characters. Simplifying password creation reduces the temptation to reuse the same ‘complex’ password across multiple accounts.
2. Full Character Utilization: All characters, including spaces, are now recommended for password creation. These are not only stronger but also more memorable. Users can create unique phrases relevant to them, decreasing the likelihood of reuse as these phrases are less generic and more personal.
3. Enabling Paste for Passwords: The revised guidelines recommend allowing passwords to be pasted into fields, facilitating the use of password managers. This change reflects an understanding of the convenience and security offered by password managers and encourages users to have distinct passwords for each service, significantly lowering the risk of password reuse.
4. Eliminating Periodic Password Changes: NIST advises against mandatory regular password changes unless there is a specific security concern. This is based on the observation that frequent changes lead to predictable patterns, reducing password strength. When users are not forced to change passwords frequently, they are more likely to create a strong, unique password and stick with it, as long as it remains secure.
5. Increased Character Allowance: Encouraging longer passwords, the new guidelines suggest a minimum of eight characters while allowing up to 64 or more. This enables users to create passphrases, which are generally more secure and easier to remember. Longer passphrases, which are often unique sentences or combinations of words, are not only more secure but are also less likely to be reused across different platforms due to their specific and personal nature.
6. Screening Against Blacklists: Passwords should be checked against lists of compromised or common passwords. This proactive measure ensures users avoid passwords that are already known to be insecure. If users reuse passwords, this will help organizations detect and remediate when their credentials have been compromised, allowing security teams to prevent breaches that could arise due to reused credential exposure from third-party sources.

The NIST guidelines reflect a deeper understanding of human behavior and the practicalities of password management. Organizations are encouraged to adopt these guidelines not just for compliance but for effective breach prevention. This change signifies a shift towards more user-friendly yet secure password practices, moving away from outdated methods that often resulted in weaker passwords.

Addressing Cultural References in Password Security

Popular trends, as evidenced by Taylor Swift’s impact on users’ password choices, bring to light the nuanced role of cultural references in password security. While incorporating celebrities or fictional characters into passwords doesn’t inherently compromise their strength, the real issue lies in their predictability and reusing these passwords across multiple platforms.

For organizations, the key lies in discerning when to include cultural references in their custom dictionary blocks (also known as ‘denylists’). This decision is context-dependent and should be informed by an understanding of patterns in previously compromised passwords. If an organization finds that its users frequently select passwords associated with specific cultural icons, especially if these passwords have been compromised in the past or have any relevance to the organization, it becomes prudent to prohibit these references. Simultaneously, organizations must weigh this approach against the inclusion of organization-specific terms, like location names, product names, or local sports teams, which could be just as predictable within certain industries or communities. Security teams should adopt a dynamic strategy for updating their custom dictionaries. This involves staying informed about both popular culture trends and the specific context of their industry or community.

Educating employees on secure password practices is crucial. This education should go beyond simply listing prohibited words; it should also provide insights into why certain words, even seemingly obscure ones, might pose security risks. Advanced password screening tools can be instrumental in this process, helping to identify both common cultural references and specific organizational terms during password creation or updates.

The Need for Stronger Password Hygiene

As organizations grapple with the nuances of password security, the key takeaway is the importance of balancing user-friendly policies with robust security measures. NIST’s updated guidelines, emphasizing ease of use while maintaining security, mark a significant shift in our approach to password management. Simultaneously, the need to consider cultural influences and organizational specifics in password policies underscores the complexity of securing digital identities in a world where pop culture and cybersecurity intersect unexpectedly. This emphasizes a key lesson for security teams: maintaining vigilance, flexibility, and strategic thinking is essential in staying ahead of cybersecurity threats, regardless of their often surprising origins.

AUTHOR

Josh Parsons

Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.