CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Identity & Access

UK’s NCSC Suggests Automatic Blocking of Common Passwords

A recent survey from the UK’s National Cyber Security Centre (NCSC, part of GCHQ), conducted by Ipsos Mori, suggests that 52% consider their most prevalent online security consideration to be protecting their privacy, while 51% consider it to be the loss of their money.

A recent survey from the UK’s National Cyber Security Centre (NCSC, part of GCHQ), conducted by Ipsos Mori, suggests that 52% consider their most prevalent online security consideration to be protecting their privacy, while 51% consider it to be the loss of their money.

(It is worth noting that inside the body of the survey, these figures are reversed. SecurityWeek has asked the NCSC for clarification. If any is received, it will be added to this article.)

The survey (PDF), conducted between November 2018 and January 2019, involved 1,350 telephone interviews with the general public aged 16+ and was weighted to represent the UK population. It shows a wide awareness of the need for cybersecurity, but less understanding of how that can be achieved. Eighty percent of the respondents say cybersecurity is a high priority, while only 15% say they know a great deal about how to protect themselves online. Nearly half (46%) believe that most cybersecurity information is confusing.

Fatalism is also strong — possibly as a result of knowing the threat is strong without understanding the solutions. Seventy percent of the respondents believe they will likely be a victim of at least one cybercrime over the next two years, and it will have a big personal impact. Thirty-seven percent believe that losing money or personal details is unavoidable.

Use of recommended practices varies widely, but is generally stronger in those aged under 54. Seventy percent always use a password/phrase or PIN to unlock their smartphones and tablets; 55% use a strong and unique password for their primary email account; and 46% patch their systems and software as soon as possible. But only 29% back up important data; and only 25% use 2FA on their email account.

Absent from this survey is any analysis of passwords specifically. This is covered in a separate survey that analyzes the most commonly used passwords as found in Troy Hunt’s Have I been Pwned database

“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable,” said Ian Levy, technical director at the NCSC. “Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band.”

His advice is that, “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” This is a view confirmed by Chris Morales, head of security analytics at Vectra, who told SecurityWeek, “Easy to remember phrases are stronger than 12-digit passwords using numbers and characters.”

Advertisement. Scroll to continue reading.

The NCSC is particularly concerned the people continue to use and reuse simple passwords. ‘123456’ is known from Troy Hunt’s database to have been used and stolen 23 million times. This isn’t just a problem for the general public, the NCSC explains in another blog; criminals maintain their own lists of common passwords. Citing the first occurrence of the Triton/Trisis malware, the NCSC comments, “attackers have been able to breach the corporate network and move laterally to the internal network due to poor network segmentation, where a single weak point (such as a password from one of these lists on a box in a DMZ) has enabled traversal.”

The NCSC believes that if defenders automatically block the most common passwords, then hacking will be made more difficult. To make this practical, it has — in conjunction with Troy Hunt — published a list of the 100,000 most common passwords found in the Have I Been Pwned database. These range from the most common ‘123456’ to the 100,000th most common ‘crossroad’.

It recommends that wherever possible, sysadmins should use this (or a similar) list as a blacklist, preventing users from choosing any one of them. For example, it writes, “If you’re using Azure AD, Microsoft have just launched their new password protection feature that allows you to define a password blacklist.” The NCSC accepts that this may cause some friction with users who are blocked from using their first, second or even third choice password, but suggests it may be less friction than “having to meet frustrating password complexity requirements.”

But most of all, it says, “This ultimately means that your organization’s data or critical infrastructure will be better protected.”

What is a little surprising, however, is that there is no specific advice to augment good password practice with the use of multi-factor authentication. Joe Carson, chief security scientist at Thycotic, told SecurityWeek, “It is important to replace your poor password with a password manager that will help create a complex strong password, and combine this with multi-factor authentication to ensure your digital identity has much stronger security controls to prevent the risk of becoming a victim of cybercrime.”

“Multi-factor authentication,” added Vectra’s Morales, “leveraging who you are (biometrics) and what you have (Authenticator app tied to specific device) are much stronger than any password regardless of what list that password might be on.”

The NCSC surveys and blog have been published ahead of its two-day CYBERUK 2019 Conference due to be held on April 24 and 25 at the Glasgow Scottish Exhibition Centre.

Related: Why User Names and Passwords Are Not Enough 

Related: Password Practices Still Poor, Google Says 

Related: California to Ban Weak Passwords

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...