If today's cybersecurity landscape was the Wild West, credentials would be more valuable than every bank, train and stagecoach combined. Bad actors know that they can easily compromise sensitive systems and accounts by leveraging passwords exposed in prior breaches. In fact, credential-based attacks are such a low risk/high reward attack vector that credentials are now among the most sought-after targets by hackers, head of bank, medical and personal data according to Verizon's most recent Data Breach Investigations Report.
Password security- what's changed?
The notion that passwords should be secure is not exactly novel. Yet, the ongoing success rates of credential attacks illustrate that there is a disconnect between password security in theory and in practice. So, what exactly is the issue?
Ultimately it comes down to employee behavior. People recognize the importance of selecting a strong, unique password for every online system and account but the desire for convenience and productivity generally trumps this wisdom. In their rush to be more efficient, employees often will reuse passwords for multiple accounts or use slight variations of the same root phrase. This poor password practice isn't just a problem among non-technical employees—nearly a quarter of IT security leaders in a recent survey admitted to reusing passwords across both work and personal sites.
Move aside, mandatory resets
Historically, organizations have attempted to address password security through mandatory resets. However, the National Institute of Standards and Technology, or NIST, now recommends that companies remove periodic password change requirements as numerous studies have documented that people employ weaker passwords when forced to frequently change them.
Cut the complexity chaos
Another legacy approach to password security is to force users to include a mix of upper and lower case letters, numbers and special characters. NIST has recently come out against this practice as well, recognizing that these restrictions also often result in worse passwords. Just like with mandatory resets, people could make very minor changes to the same root phrase and be in compliance but still be using a relatively unsecure password.
Setting the stage for credential screening
In lieu of the above and other outdated approaches to password security, NIST recommends that companies screen new passwords against a list of commonly used or compromised passwords. Numerous static blacklists of exposed credentials are available online, and some companies have enough resources to curate their own.
However, data breaches occur on a daily basis meaning that newly exposed credentials are available for hackers to leverage in credential-based attacks. In order to keep pace with this ongoing onslaught, organizations need a dynamic, automated approach to credential screening that checks passwords against the latest threat intelligence. In addition, it's also important that companies continuously screen passwords to ensure they remain secure. After all, a credential could pass its check at its creation but subsequently become exposed.
A modern approach to credential screening
It's clear that companies need a modern approach to credential screening. Enzoic's proprietary solution screens all proposed username and password pairs against our dynamic database, which contains multiple billions of credentials exposed in data breaches and found in cracking dictionaries. The database is updated multiple times each day, ensuring that credentials are checked against the latest breach data without adding an additional burden on IT.
In addition, because this screening happens entirely in the background, it provides enhanced password security without introducing friction into the employee experience. Uncompromised employees gain easy access to their accounts without navigating the additional steps or device requirements associated with MFA, one-time passwords or other authentication mechanisms. If a compromise is detected organizations can automate their response, whether it's forcing a password reset or using a secondary authentication method to verify identity.
Don't overlook security basics
The New Year brings significant hype over emerging technology trends but there's no point investing in cutting-edge security technology if your credential security is still rolling out the welcome mat to hackers. That's why it's imperative to take steps today to ensure you close the door on credential-based attacks once and for all. Learn more about Enzoic's approach and how we can help you safeguard passwords and protect the network.