Username-Password Pairs: Why Banning Passwords Just Isn’t Enough

Username-Password Pairs: Why Banning Passwords Just Isn’t Enough

Password blacklists are receiving considerable attention. It’s clear why: Weak and compromised passwords are a factor in nearly all hacking-related cybersecurity breaches. best practices of NIST require organizations not to allow the use of common and compromised passwords. And several cyber security companies offer password blacklists for this purpose.

But authentication requires a username and password combination, so shouldn’t we evaluate compromised username and password pairs instead of just compromised passwords?

DevOps/Cloud-Native Live!  Boston

Username and password combinations are the target

The ultimate goal of the hacker is to discover a valid username and password combination. There are many methods to guess passwords. They are most successful for hackers when people select easy-to-guess passwords. But hackers still need to find out what password was chosen for a specific username.

But when attackers can find passwords and usernames together, their job is done. That makes an exposed username and password the most critical security vulnerability. If hackers can get the full credentials, they don’t need to orchestrate a password guessing attack or bother cracking passwords. Instead, they can simply sign in.

Whole new pairs of credentials leak out every day. Therefore, the probability that the exact credentials of your employees will be compromised increases over time. Unfortunately, most people have no way of knowing if their entire credentials have already been compromised. But hackers do know. A visit to the Dark Web illustrates what is happening.

Hackers are not limited to password lists

The Dark Web is understood as a source of password lists. Common password lists designed for password spreading are marketed, sold, and ranked based on their effectiveness. Also, there are large decryption dictionaries for sale created to revert encrypted passwords to clear text.

While these types of password lists are regularly posted on the Dark Web, full credential lists are seen much more frequently. These are massive combo lists with username and password pairs compiled from many sources. But even more common are username and password exposures attributable to specific compromised servers and sites.

The critical point here is that hackers often don’t start with passwords. Instead, they start their attack with full username and password pairs. Given the number of data breaches each year, it’s easy to come up with a few username and password combinations for just about any target.

Even if these credentials are 3dr party sites, can jeopardize the security of your organization today. This is because most people apply only slight variations or reuse the exact credentials across multiple accounts. As a result, hackers have a good chance of easily obtaining the password of at least some users in your organization, even if these users do not use a common password.

Forbidden password may not be enough

So why do we only blacklist passwords? You could argue that a password blacklist can block any compromised username and password pair. That could be a valid point if all leaked passwords for each user are included. But most of the generally available password blacklists are much more limited. Most are designed just to prevent the use of the most frequently seen passwords.

An often referenced source for banned passwords is Troy Hunt’s Pwned Passwords. It’s free, but it’s far from a complete list. It provides a fraction of the leaked passwords available in commercial services with dedicated professional threat researchers focused on the task. Without a more complete list, there is no chance of preventing a previously exposed username and password pair.

Some banned password services don’t even attempt to collect exposed passwords. For example, Microsoft offers a Global Banned Password List, but it is only generated from its own telemetry. That means Microsoft’s Azure Password Protection doesn’t try to collect passwords from 3dr parties data breaches. This is another free service, so its scope is understandably very limited.

Banned password lists are still valuable. There is always a need to block the most common and easy to guess passwords. A limited list may suffice if your only concern is password spreading. This is a type of attack where a small list of common passwords is attempted for a large set of users. However, password spraying is only one of many credential attack methods. Attackers can do real damage when they can obtain entire compromised credentials.

How to protect yourself against hackers using full credentials

To prevent credential compromise attacks, organizations need to know which username and password pairs are compromised and have methods to keep them out of their environment.

There are three parts to this effort.

  • Organizations should avoid the reuse of compromised username and password pairs. This is important even when the user has selected a unique password. This requires more than limited lists of prohibited passwords. There has to be a way to detect all compromised username and password pairs. There should be no justification for allowing a username and password pair to be exposed.
  • processes are necessary for continuously monitor and detect when an existing username and password pair has been compromised. The list of the most popular common passwords changes from time to time. But new exposures happen every day, which means the database of insecure username/password pairs changes rapidly. It is not enough to wait for the password to expire to re-verify the credentials against new data breaches.
  • Policies should define the immediate actions that are taken when a username and password are compromised. Because it is a more critical vulnerability, a more aggressive response is recommended. NIST suggests not requiring passwords to be changed unless there is evidence of compromise, as in this case. Finding a username and password pair that is compromised would ensure an immediate password reset or even disable the account.


There are many types of password attacks. Password guessing attacks are successful because most people make poor password choices. What NIST requires, organizations need policies that prevent the use of common, easy-to-guess, or previously compromised passwords. However, password ban lists are generally not designed to protect well-chosen username and password pairs. Proper password protection must go beyond banned password lists and detect when the entire username and password pair has been exposed.

The charge Username-Password Pairs: Why Banning Passwords Just Isn’t Enough first appeared in enzoic.

*** This is a syndicated Security Bloggers Network blog from enzoic written by Kim Jacobson. Read the original post at:

Leave a Comment