A Surprising Twist in 2023
There’s no doubt that Taylor Swift had a wonderfully successful 2023: she made over a billion dollars, broke many music industry records, and was named TIME’s Person of the Year, all cementing her status as a pop-culture icon. Her cultural impact, however, extended beyond the realm of pop music into the unlikely field of cybersecurity.
With her global fanbase, Swift inadvertently influenced the world of authentication. Fans often choose passwords related to their interests, leading to a surge in Taylor Swift-themed passwords. Unfortunately, factors such as password reuse and compromise by threat actors make them vulnerable to cyberattacks. Here are the top-ten most common ones that were compromised from the past year:
Top Ten Taylor Swift-Inspired Compromised Passwords
These passwords were collected by Enzoic’s threat research team and included in their continuously updated proprietary data platform to protect vulnerable users and organizations as quickly as possible. Exposed passwords pose a significant risk to organizations, opening them up to attacks from threat actors, such as those attempting to deploy ransomware or steal data for fraud and illegal sale.
The Less Obvious Choices and Their Risks
Interestingly, less common passwords, such as ‘taylorswift13121989’, pose their own security risks. Despite being a theoretically strong password due to its length and complexity, its exposure in data breaches renders it vulnerable. This highlights a critical issue in cybersecurity: the problem of password reuse. Passwords, regardless of their inherent strength, become susceptible to compromise when they are known to hackers or featured on compromised lists. When employees recycle their passwords across various platforms, they inadvertently link the security of their organization to the most vulnerable account they use.
The habit of reusing passwords is a widespread yet hazardous practice. Humans will be humans, and are always seeking convenience, especially when it comes to often-repeated actions like entering passwords. Threat actors can exploit this habit by compromising sites or systems with weaker security postures, then using those passwords to gain access to otherwise secure systems due to the statistical likelihood that at least a handful of user’s credentials involve reused passwords, especially those known to have been exposed and included on password lists. The immediate risk to seemingly insignificant accounts may appear low, but the actual threat emerges when this one password becomes the key to unlocking far more sensitive and valuable information.
Contemporary Password Protections: A Shift Towards User-Friendly Security
How can organizations prevent their users from reusing the same passwords across all their accounts? While this would be a nearly impossible task, the newest guidelines from The National Institute of Standards and Technology (NIST) in their publication 800-63b offer guidance to combating this risk:
The NIST guidelines reflect a deeper understanding of human behavior and the practicalities of password management. Organizations are encouraged to adopt these guidelines not just for compliance but for effective breach prevention. This change signifies a shift towards more user-friendly yet secure password practices, moving away from outdated methods that often resulted in weaker passwords.
Addressing Cultural References in Password Security
Popular trends, as evidenced by Taylor Swift’s impact on users’ password choices, bring to light the nuanced role of cultural references in password security. While incorporating celebrities or fictional characters into passwords doesn’t inherently compromise their strength, the real issue lies in their predictability and reusing these passwords across multiple platforms.
For organizations, the key lies in discerning when to include cultural references in their custom dictionary blocks (also known as ‘denylists’). This decision is context-dependent and should be informed by an understanding of patterns in previously compromised passwords. If an organization finds that its users frequently select passwords associated with specific cultural icons, especially if these passwords have been compromised in the past or have any relevance to the organization, it becomes prudent to prohibit these references. Simultaneously, organizations must weigh this approach against the inclusion of organization-specific terms, like location names, product names, or local sports teams, which could be just as predictable within certain industries or communities. Security teams should adopt a dynamic strategy for updating their custom dictionaries. This involves staying informed about both popular culture trends and the specific context of their industry or community.
Educating employees on secure password practices is crucial. This education should go beyond simply listing prohibited words; it should also provide insights into why certain words, even seemingly obscure ones, might pose security risks. Advanced password screening tools can be instrumental in this process, helping to identify both common cultural references and specific organizational terms during password creation or updates.
The Need for Stronger Password Hygiene
As organizations grapple with the nuances of password security, the key takeaway is the importance of balancing user-friendly policies with robust security measures. NIST’s updated guidelines, emphasizing ease of use while maintaining security, mark a significant shift in our approach to password management. Simultaneously, the need to consider cultural influences and organizational specifics in password policies underscores the complexity of securing digital identities in a world where pop culture and cybersecurity intersect unexpectedly. This emphasizes a key lesson for security teams: maintaining vigilance, flexibility, and strategic thinking is essential in staying ahead of cybersecurity threats, regardless of their often surprising origins.
Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.