Keep Organizations Safe from Cybercriminals with Password Blacklists

April 28th, 2021   |     |  security and compliance, product & technology

123456, 123456789, qwerty, password, and 111111 are some of today’s most commonly used passwords, according to CyberNews. While these passwords may be simple for users to remember, they are also quite easy for cybercriminals to steal. For this reason, security experts suggest creating strong passwords that include the following characteristics:

  • At least 12 characters long
  • Mixed characters, including uppercase/lowercase letters, numbers, and special symbols
  • Does not contain memorable keyboard paths
  • Not based on personal information
  • Unique passwords for each account


To help users create strong passwords, many organizations turn to password blacklists—a list of common words that are not allowed for use as passwords.

In fact, our recent survey of technology leaders found that when it comes to preventing employees from using common words or phrases in their passwords, 61 percent of today’s organizations implement a password blacklist, while 31 percent do not.

Password blacklists are used to ensure that individuals don’t choose passwords that are commonly used — or that are already part of lists that attackers might use in dictionary attacks or other password-based attacks. Additionally, blacklists include guidelines that prevent the use of common passwords with frequently-used modifications, such as capital letters, standard substitutions, or numbers following the words. These rules protect against password-cracking software, which uses dictionaries of commonly-used passwords.

Adding a password blacklist prevents employees or customers from using common or insecure passwords schemes that are easily compromised. This blacklist provides additional security by preventing the attackers from getting past a simple password login flow in the first place.

When using a password blacklist, it is important to keep the list up to date. In fact, according to recommendations from the United Kingdom’s National Cyber Security Centre (NCSC), organizations should block up to 100,000 of the most commonly used passwords.

However, an easier option entails using OneLogin’s Dynamic Password Blacklist, which enables administrators to specify certain strings or values they do not want a user to include in their password, such as their username or phone number. For example, OneLogin’s password blacklist provides partial matches, so you can include the word “password” and it will catch variations, such as “password123,” or years, such as “2010,” and it will catch any passwords that include “2010.”

Whether you choose to implement and maintain your own password blacklist or look to OneLogin to maintain it for you, it is imperative that you use a blacklist to successfully prevent users from choosing simple, easy-to-guess passwords.

Because we live in a world where cybercriminals are lurking behind every corner, organizations must stay on top of password use to protect their valuable data and steer clear of data breaches and cyberattacks.

Check out the other pieces in our World Password Day series!

Part 1: Solving the Password Problem with MFA

Part 2: Improve Cybersecurity with Passwordless Authentication

Part 3: Beware of Password Managers

OneLogin blog author
About the Author

As the Senior Manager of Content Marketing at OneLogin, Lucie Lawrence focuses on developing useful and useable content. Lucie’s master’s degree in journalism and PhD in human communication studies have taught her the magic of storytelling and the importance of crafting information in interesting and compelling ways.

View all posts by Lucie Lawrence

OneLogin blog author
About the Author

As the Senior Manager of Content Marketing at OneLogin, Lucie Lawrence focuses on developing useful and useable content. Lucie’s master’s degree in journalism and PhD in human communication studies have taught her the magic of storytelling and the importance of crafting information in interesting and compelling ways.

View all posts by Lucie Lawrence

Secure all your apps, users, and devices