Password authentication isn’t going anywhere anytime soon. It’s part of our culture, users and employees are accustomed to it, and many systems depend on the “what you know” layer. Newer technologies like biometrics might work in certain situations, but they won’t replace passwords altogether anytime soon. In our series on password security, we’ve talked about some worrying trends, the myths contributing to poor password hygiene, and the methods cybercriminals use to hack encrypted passwords. It’s time to talk about the actions you can take to secure your password layer against bad actors right now.
In our fourth and last installment, we’ll address the weaknesses of passwords head-on and give you actionable insights and goals for protecting your systems against password-based attacks with the latest password security methods.
Current NIST password recommendations include some excellent advice for tackling the vulnerabilities caused by common and compromised passwords. Remember, common and compromised passwords make up cracking dictionaries that hackers use to execute password attacks against business sites and systems. Rogue actors are constantly sharing compromised credentials exposed in data breaches all over the dark web. These compromised credentials become a significant vector in further attacks (responsible for 20% of breaches this year alone), contributing to a vicious cycle of susceptibility that we all must do our part to end.
The answer to common and compromised passwords, it turns out, is simple to implement but has yet to be universally adopted. It involves not allowing employee and client accounts to use them in the first place. As passwords are created, if businesses check them against those used in dictionary attacks, they can stop users from choosing them. This approach requires cataloging all passwords found in cracking dictionaries the same way cybercriminals do. As NIST special publication 800-63B section 5.1 puts it, you’d build a blacklist “that contains values known to be commonly used, expected, or compromised” – essentially, using cybercriminals’ cracking dictionaries against them.
Bypassing compromised credentials and common, easy-to-guess passwords also makes it much harder for a hacker to do anything with your database, should they get their hands on it. If you use hashing (and you should!), a hacker won’t be able to rapidly reverse the hashes in bulk because your passwords won’t be on any reverse lookup or rainbow tables.
Another solution that is currently underutilized is multi-factor authentication (MFA). MFA ensures that the password isn’t a single point of failure for the whole system. While MFA is not entirely invulnerable either, it provides additional solid layers of security to help minimize risk.
One-time passwords (OTP) are a typical authentication approach businesses can use to add protection on top of the password layer. NIST does not recommend using email and SMS to deliver OTPs because these communication channels can be compromised. If you’re going to implement an OTP solution, there are a few other options for authentication, including hardware tokens, mobile apps, and website applications.
It’s very important to work to make sure account users aren’t reusing their passwords from other sites. Since most people don’t create a unique password for every one of their accounts, their passwords can be exposed in an unrelated data breach, causing your business systems to become more vulnerable. One 2021 breach exposure report focused on Fortune 1000 companies found that 543 million of their employees’ credentials were circulating on the dark web. 76.7% of all Fortune 1000 employees were reusing passwords across personal and professional accounts, putting businesses in great danger of becoming victims of an attack.
To keep your password security layer safe, all new passwords should be compared against a comprehensive blacklist that includes all compromised passwords from data breaches. If it sounds like a tall order to build that blacklist yourself, you’re correct! Here at Enzoic, we maintain such a blacklist. To be truly effective the list would have to be continually updated to remain up to date as more and more passwords are exposed in breaches.
Luckily, you don’t have to maintain that list yourself. Powerful password screening software can check employee and client new passwords against such a blacklist swiftly and easily. When it comes to cyber threats, we can’t control everything, but we can adjust our security strategy to make it much more difficult for hackers to take control.