Full Report
How come it’s still possible to ‘secure’ an online account with a six-digit string?
Analysis Summary
# Best Practices: Eliminating Trivial Passwords & Strengthening Authentication
## Overview
These practices address the persistent vulnerability of "trivial passwords" (e.g., "123456") and the failure of platforms to enforce modern authentication standards. The goal is to shift from legacy password-only systems to rigorous validation and Multi-Factor Authentication (MFA).
## Key Recommendations
### Immediate Actions
1. **Enforce Minimum Complexity:** Immediately update password validation logic to reject known weak strings ("123456", "password", "admin") and sequential patterns.
2. **Audit Password Requirements:** Review current account creation flows to ensure they meet a minimum of 8–12 characters with a mix of character types (uppercase, lowercase, numbers, symbols).
3. **Enable MFA:** Offer and encourage Multi-Factor Authentication (MFA) for all users, regardless of the perceived sensitivity of the data.
### Short-term Improvements (1-3 months)
1. **Screen Against Breached Passwords:** Integrate APIs (like HaveIBeenPwned) or local lists to prevent users from selecting passwords known to have been leaked in historical data breaches.
2. **Dormant Account Cleanup:** Identify and delete or lock dormant accounts created under legacy "weak password" policies to reduce the attack surface in the event of a breach.
3. **Deploy Passkeys:** Begin implementing WebAuthn/Passkey support to provide a phishing-resistant alternative to traditional passwords.
### Long-term Strategy (3+ months)
1. **Move to "Passwordless":** Adopt a strategy to phase out traditional passwords entirely in favor of biometrics, hardware tokens, or passkeys.
2. **Regulatory Compliance Alignment:** Ensure all authentication systems align with strict standards like PSD2 (for finance) or general data protection mandates (GDPR) regarding "appropriate" security measures.
3. **Advocate for Standards:** Support and implement industry-wide authentication mandates to ensure security is not sacrificed for "ease of entry" or user acquisition.
## Implementation Guidance
### For Small Organizations
- Use third-party identity providers (Google, Microsoft, Apple ID) to handle authentication, offloading the risk of storing passwords.
- Use free tools like the ESET Password Generator to educate staff and users on complexity.
### For Medium Organizations
- Implement automated password strength meters during registration that provide real-time feedback.
- Mandate MFA for all internal employee accounts and highly recommend it for customers.
### For Large Enterprises
- Enforce strict "Zero Trust" authentication principles.
- Use automated scripts to proactively scan the user database for common patterns and force a password reset for at-risk accounts.
- Lobby for and adopt regional security frameworks that mandate MFA across all customer-facing services.
## Configuration Examples
While specific code varies by platform, validation logic should follow this logic:
* **Reject List:** `[ '123456', '12345678', 'qwerty', 'password', 'admin' ]`
* **Complexity Regex:** `^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$` (Requires 8 chars, 1 upper, 1 lower, 1 number, 1 special character).
## Compliance Alignment
- **NIST Special Publication 800-63B:** Guidelines for Digital Identity and Authentication.
- **PSD2 (Payment Services Directive 2):** Mandates Strong Customer Authentication (SCA) for financial transactions.
- **GDPR/CCPA:** General mandates to secure personal data using "reasonable" measures.
## Common Pitfalls to Avoid
- **Legacy Retention:** Keeping old accounts that don't meet modern security standards in your database.
- **The "Friction" Excuse:** Prioritizing seamless user sign-up over security, which leads to long-term liability.
- **Static Requirements:** Using complexity rules (e.g., "must include a symbol") without checking if the password is a common string like "123456!".
## Resources
- **ESET Password Generator:** [https://www.eset[.]com/us/password-generator/]
- **Have I Been Pwned Pwned Passwords API:** [https://haveibeenpwned[.]com/API/v3#PwnedPasswords]
- **FIDO Alliance (Passkey Documentation):** [https://fidoalliance[.]org/]
- **NordPass Common Password List:** [https://nordpass[.]com/most-common-passwords-list/]