Do not just mitigate bad passwords. Eliminate weak and compromised passwords.
Threats to password-based authentication can overwhelm organizations. Because passwords are still the most common way for users to access their accounts, they invite abuses from bad actors. It is made worse by the security negligence of employees. But, employee password hardening can be difficult without introducing significant user friction. No wonder so many organizations are struggling to keep their accounts and infrastructure secure.
The traditional ways organizations use to thwart successful attacks on employee accounts are becoming less effective:
But now, there are new ways for employee password hardening that can also reduce user friction and IT burden.
Organizations have often operated blindly when it comes to account integrity, unaware if cybercriminals have obtained compromised credentials. Aside from the occasional manual checks using static password lists, enterprises have had few options for detecting compromised passwords.
This lack of visibility into employee credential security has led some organizations to mitigate weak passwords by micromanaging access. They use periodic password resets and complex character requirements to try to impede attackers. Those methods of defense are used to protect aging or straightforward passwords that users may select. However, old passwords are not necessarily weak and strong passwords are not necessarily safe. Even organizations that conduct regular periodic password resets cannot control whether criminal hackers steal or guess their credentials in the interim. This means cybercriminals still have an attack window, impacting overall account integrity.
The trouble is those old methods that pressure employees to routinely recreate their passwords with complex character strings foster user frustration. As a result, employees often will simply add a single character, usually an exclamation point, to update or obscure the core password they have already memorized. Cybercriminals who have already guessed or found that exposed password will test it with the typical iterations (like an extra character or leetspeak) and still get into an employee account.
These days, organizations need to eliminate bad employee passwords – rather than just mitigate them as they have done in the past. They need tools that check passwords daily against a continuously updated database of weak and compromised credentials. This is an effective way to secure the password layer of security and support employee password hardening without creating undue frustration for employees.
Organizations need what we refer to as continuous password monitoring (also known as continuous password filtering or screening), which compares passwords at creation and daily against a robust, real-time database of billions of compromised and bad passwords. Continuous password monitoring negates the need for periodic password resets, reinforcing enterprise security and reducing IT burden.
When done correctly, password filtering and monitoring should have zero user experience impact. Employees only need to create new passwords when breaches and exposures compromise their current password. This removes the need for overly complex passwords and, thereby, relieves employee frustration.
1) Automated response and less manual work from IT.
With continuous password screening, weak and compromised passwords have short lives because when a vulnerable password is found, an automated real-time response should be activated. Organizations no longer need to rely on static password lists that lose their timeliness and effectiveness with every passing day. Organizations can choose to instantly notify Active Directory administrators while prompting users to change their password the next time they use their login credentials. Companies can also elect to immediately and automatically disable user accounts if their policies require it. An automated tool provides less manual work for IT while improving employee password hardening.
2) A secure process for leveraging password comparisons.
In this process of comparing passwords, organizations should keep passwords safe as it checks them against a database. Cracking passwords or having them shared in plaintext is a significant vulnerability. Therefore, Enzoic for Active Directory doesn’t crack passwords nor share them in cleartext. It checks only partial hashes of passwords and never exposes full passwords or hashes during the comparison process. This is known in cryptography as k-anonymity, and it is vital to use this approach to keep employee passwords safe.
3) Insight to know what is working and how.
When considering password filtering, employee password hardening, and continuous password screening tools, Active Directory administrators need to have proper analytics. They need to see the total number of detections, including the number of discoveries due to fuzzy matching, local dictionary, or password similarity matching. They also need the ability to pull the logs into log management tools to help streamline reporting.
4) How vulnerable password data is sourced.
Lastly, when considering continuous password filtering for employee accounts, ensure that the vendor you select sources the data themselves rather than relying on a 3rd party list. Some vendors don’t do any research themselves but download free password blacklists off the internet. These password blacklists are a decent start, but they are not typically the lists that attackers are using because they are very public and known. Enzoic’s threat research team updates and maintains its catalog of exposed credentials continuously. It uses dedicated human analysts and advanced automation technologies that perform deep threat research, scouring the Dark Web, the Internet, and otherwise unavailable private resources for breached and exposed passwords.
While many organizations are exploring alternative authentication to passwords, many experts know that we are not even close to eliminating the password for authentication. Even companies using alternative authentication methods still rely on passwords as a backup. Instead of abandoning the credential authentication technology that is at the core of every account and app, organizations can focus on hardening the employee password.
To reinforce enterprise security, organizations should:
By taking these steps, organizations can ensure account integrity, reduce the risk of credential-based attacks, and create a stronger, more resilient security posture.