I was looking at some of our overall security stats the other day and it struck me that a significant minority of our customers are not using Password RBL.
This seems crazy to me, but I suppose I wondered if the people who have chosen not to use it actually understood what it was that they had rejected.
What is Password RBL?
Password RBL is a list of bad passwords. It has a few higher-end features but at its most basic it stops users from choosing passwords that hackers routinely use.
Currently, most of our files (at least a significant amount of your data e.g. email etc.) are available on the internet. A hacker can knock on the door to ask to see your files. When he gets asked for a password you might think that he randomly picks something, but that is a mistake. A more common approach for a hacker is to look at a list of passwords stolen from the internet (these can be downloaded very easily) and sort them by the frequency a password appears. Something like this below might come out (but obviously much longer).
Very simply, if these top 5 passwords let you into 5% of accounts then you will get into 1 in every 20 doors you try.
When you ask a user to create a complex password for your network you assume that because it is complex they have to choose something random, but you’ll notice that all 5 passwords would be allowed, even under Nitec’s stringent management of password policy.
Be Safe, Not Sorry
This is precisely why Password RBL is such an essential tool. It manages a large number of fake accounts that no one should ever be logging into legitimately, and every time someone tries to log into one of these fake accounts they note the password; if it starts to appear with any regularity they then block it. Suffice to say, none of the passwords above would pass muster with Password RBL.
The bottom line is in the current landscape you cannot afford not to have this tool. You are probably thinking that your staff aren’t that careless: however, the stats we have suggest that between 10% and 20% of all attempted password changes are rejected by Password RBL, which means that without Password RBL, in a team of 30 people probably 3 to 6 staff have passwords that would be known to hackers. Something to think about.