I’ve seen a myriad of posts recently in both news articles, and Twitter that highlight the usage of insecure passwords such as “password” or “123456”. There’s an immediate issue I can see here.
It’s not just about the strength of the password that a potential owner chooses for access to a particular website or service. Admittedly, a vast selection of the passwords that are chosen are so weak, that they wouldn’t stand up to a single pass via a dictionary attack - let alone brute forcing. What’s vitally important here, and, surprisingly, it seems to be overlooked, is those online services, systems, and websites that actually accept the weak passwords in the first place. If you really want to stop people from using insecure passwords, then implement measures that prevent them from doing so - and more importantly, provide a mechanism of explaining the reason to decline their choice rather than creating frustration where the user cannot validate their preferred password. In the same ilk, it’s rare for providers to compare the hash entered (not the password itself, but it’s “equivalent” in terms of hashed value when stored) using the well known free API from https://haveibeenpwned.com. If a user knew that a password was unsafe and at risk of being compromised before they even attempted to save it, then surely they would reconsider their choice - and, perhaps act on the advice they have been offered. With the use of AJAX in web forms, this isn’t really hard to do either - and, it could make all of the difference.
Organisation that actually permit the usage of weak passwords are as much (if not more) at fault as those users attempting to make use of them in my view. It’s irresponsible, and does not provide any security mechanism whatsoever in the event of those same credentials being stolen. Let’s stop blaming users for attempting to use weak passwords, and spend more time and effort looking at the services that actually permit their usage.