UK’s NCSC Suggests Automatic Blocking of Common Passwords
A recent survey from the UK’s National Cyber Security Centre (NCSC, part of GCHQ), conducted by Ipsos Mori, suggests that 52% consider their most prevalent online security consideration to be protecting their privacy, while 51% consider it to be the loss of their money.
(It is worth noting that inside the body of the survey, these figures are reversed. SecurityWeek has asked the NCSC for clarification. If any is received, it will be added to this article.)
The survey (PDF), conducted between November 2018 and January 2019, involved 1,350 telephone interviews with the general public aged 16+ and was weighted to represent the UK population. It shows a wide awareness of the need for cybersecurity, but less understanding of how that can be achieved. Eighty percent of the respondents say cybersecurity is a high priority, while only 15% say they know a great deal about how to protect themselves online. Nearly half (46%) believe that most cybersecurity information is confusing.
Fatalism is also strong — possibly as a result of knowing the threat is strong without understanding the solutions. Seventy percent of the respondents believe they will likely be a victim of at least one cybercrime over the next two years, and it will have a big personal impact. Thirty-seven percent believe that losing money or personal details is unavoidable.
Use of recommended practices varies widely, but is generally stronger in those aged under 54. Seventy percent always use a password/phrase or PIN to unlock their smartphones and tablets; 55% use a strong and unique password for their primary email account; and 46% patch their systems and software as soon as possible. But only 29% back up important data; and only 25% use 2FA on their email account.
Absent from this survey is any analysis of passwords specifically. This is covered in a separate survey that analyzes the most commonly used passwords as found in Troy Hunt’s Have I been Pwned database.
“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable,” said Ian Levy, technical director at the NCSC. “Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band.”
His advice is that, “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” This is a view confirmed by Chris Morales, head of security analytics at Vectra, who told SecurityWeek, “Easy to remember phrases are stronger than 12-digit passwords using numbers and characters.”
The NCSC is particularly concerned the people continue to use and reuse simple passwords. ‘123456’ is known from Troy Hunt’s database to have been used and stolen 23 million times. This isn’t just a problem for the general public, the NCSC explains in another blog; criminals maintain their own lists of common passwords. Citing the first occurrence of the Triton/Trisis malware, the NCSC comments, “attackers have been able to breach the corporate network and move laterally to the internal network due to poor network segmentation, where a single weak point (such as a password from one of these lists on a box in a DMZ) has enabled traversal.”
The NCSC believes that if defenders automatically block the most common passwords, then hacking will be made more difficult. To make this practical, it has — in conjunction with Troy Hunt — published a list of the 100,000 most common passwords found in the Have I Been Pwned database. These range from the most common ‘123456’ to the 100,000th most common ‘crossroad’.
It recommends that wherever possible, sysadmins should use this (or a similar) list as a blacklist, preventing users from choosing any one of them. For example, it writes, “If you’re using Azure AD, Microsoft have just launched their new password protection feature that allows you to define a password blacklist.” The NCSC accepts that this may cause some friction with users who are blocked from using their first, second or even third choice password, but suggests it may be less friction than “having to meet frustrating password complexity requirements.”
But most of all, it says, “This ultimately means that your organization’s data or critical infrastructure will be better protected.”
What is a little surprising, however, is that there is no specific advice to augment good password practice with the use of multi-factor authentication. Joe Carson, chief security scientist at Thycotic, told SecurityWeek, “It is important to replace your poor password with a password manager that will help create a complex strong password, and combine this with multi-factor authentication to ensure your digital identity has much stronger security controls to prevent the risk of becoming a victim of cybercrime.”
“Multi-factor authentication,” added Vectra’s Morales, “leveraging who you are (biometrics) and what you have (Authenticator app tied to specific device) are much stronger than any password regardless of what list that password might be on.”
The NCSC surveys and blog have been published ahead of its two-day CYBERUK 2019 Conference due to be held on April 24 and 25 at the Glasgow Scottish Exhibition Centre.
Related: California to Ban Weak Passwords