At least yours shouldn’t. Your enterprise should not care about the 10,000 most common passwords and the reason is unbelievable! Out of the 10,000 most common passwords only 10 of had 12 or more characters. Perhaps this statistic is not surprising, but “unbelievable” did represent 10% (1) of the passwords that were 12 characters or longer! Not a single one of the passwords met the typical length and complexity requirements most enterprises inflict upon their employees.
The one 18 character password on the list was “films+pic+galleries” and was almost certainly magnitudes stronger than any 14 character password used in your organization, unless it was a category on the TV game show Jeopardy. I say “almost certainly” because there are probabilities that may make a longer password with equivalent entropy weaker than its shorter counterpart. You are not going to be able to do much about entropy and probability control enforcement for the passwords your users create though. I will discuss what I mean about probability factoring into password cracking in another blog.
Rules about using a password with at least 12 characters and multiple character sets encourage the use of 12 character passwords. This also results in the creation and use of short passwords that have predictable formats such as number or a symbol preceding or trailing a single word. What is the difference between the passwords “techniques” and “1Techniques&”? Not much. Perhaps a few seconds?
Recently NIST has adopted new guidelines concerning passwords that security experts have long been advocating for – dump complexity for length and don’t make users change their passwords frequently. In simple terms, don’t make me use “^incredible1” for a password and then swap “incredible” for another 10 letter word three months later. Trade complexity for length. It’s a win for all concerned.
I talked about passphrases in a previous blog, but I did not touch on passphrase token attacks. These are techniques that can be used that to exploit common weaknesses of passphrases. This does not mean the actual strength of a passphrase is less than a 12, or even 16 character password though. In another blog I’ll delve into token attacks and then provide easy ways to mitigate such attacks in another blog. For now, take a deep breath... Your users probably are not using very many of the rest of the top one million most commonly used passwords because they probably don’t meet your password strength criteria.
Independent Security Analyst