Troy Hunt, the founder of Haveibeenpwned came out with some brand new numbers that show there's bad news and there's more bad news.
A few months ago he launched V2 of his Pwned Passwords list (half a billion of them) and the idea is to make them into a blacklist, as per the recent NIST guidance:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers (or users) use that password!
But he always wondered - what sort of percentage of passwords would this actually block? I mean if you had 1 million people in your system, is it a quarter of them using previously breached passwords? A half? More?
And then he got his hands on a new 6.8m-record data breach from a site called CrashCrate and he could do the math:
86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.
He concludes that traditional password complexity rules are awful and they "must die a fiery death", also because bad guys are more and more into credential stuffing where they are grabbing huge stashes of username and password pairs from other data breaches and seeing which ones work on totally unrelated site.
Password Reuse Abounds
Despite heightened awareness of the security implications many users still continue to reuse passwords and rarely if ever change them, a LogMeIn survey shows.
A new survey by LastPass by LogMeIn of some 2,000 individuals in the United States, Australia, France, Germany, and the UK has revealed what can only be described as broad apathy among a majority of users on the issue of password use.
Though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway. For 61%, it is the fear of forgetfulness that was the primary reason for password reuse. Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time. More at DarkReading about this new study.