Industry Insights with Mike Greene

Access Management , Identity & Access Management , Multi-factor & Risk-based Authentication

4 Automated Password Policy Enforcers for NIST Password Guidelines

Automate Screening of Exposed Passwords and Password Policy Enforcement
4 Automated Password Policy Enforcers for NIST Password Guidelines

NIST password guidelines balance user-friendly password policies that can improve security and reduce IT helpdesk costs. While NIST introduced these new password guidelines in 2017, acceptance of these guidelines has sky-rocketed in 2019 as security experts far and wide have now endorsed them.

To aid in the implementation of the NIST password guidelines, many organizations are embracing tools that can automate screening of exposed passwords and password policy enforcement. Automated password policies can help simplify the implementation of NIST password guidelines without creating a lot of additional burden on the IT team.

Here are four automated password policy options we recommend for NIST compliance.

1. Continuously Monitor for Exposed Passwords

The average person reuses each password as many as 13 times. Cybercriminals rely on this lax behavior and prey upon the vulnerabilities caused by password reuse. Compromised passwords are responsible for 81% of hacking-related breaches, according to the Verizon DBIR.

IT and Security teams are fighting back with screening passwords against a continually updated password blacklist. Attackers are frequently using the freshest exposures they can find because they know the more recent exposures will result in more successful outcomes. If an organization only uses old password blacklists, they are giving attackers a much larger attack window to take over an employee account. NIST password guidelines recommend continuous password screening to help solve for this attack vector.

2. Screen for Commonly-Used Passwords

Many employees use weak, common passwords and are unaware of it. Many organizations are now automating password screening. It starts with preventing common words. Pairing common words with other words, special characters, and numbers can be allowed with appropriate character lengths. Additionally, organizations should block repetitive characters or sequential characters (for example: 111111). There are also the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, qwerty, abc123, password1)

3. Block Expected or Similar Passwords

Most employees will also reuse passwords in the form of a root password that is changed with just replacing numbers with letters. Attackers know that this is a common practice, so organizations also need to prevent expected passwords and their various forms. Fuzzy matching is essential because if your password is recently exposed online from another site, an attacker will use patterns of that password. Fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as common substitutions such as leetspeak and password reversing.

For example: If your exposed password is "HolidayVacation1", attackers will usually try variations such as:

  • "HolidayVacationi" Leetspeak (substituting numbers for letters like leet= 1337)
  • "1noitacaVyadiloH" reversed password
  • "holidayvacation1" a case-sensitive change

Another typical employee password behavior is using one root password and then changing just one or two characters. This practice makes it easier for the employee to remember their password, but unfortunately, it also makes it easy for bad actors to guess it. With password similarity blocking, new passwords are screened by similarity to a former password using the Damerau-Levenshtein distance.

For example: If your compromised password is "HolidayVacation2018" , attackers usually try iterations like:

  • HolidayVacation2019" one-character change
  • "HolidayVacation2020" two-character change
  • "HolidayVacation18" two-digit change

The systems admin should be able to determine the amount of difference (aka distance) between the old password and the new password. With this password policy, the minimum number of character differences should be at least 1. Organizations have varying opinions on how many characters should be different between old and new passwords so it is important they select a tool that allows this to be customized.

4. Prevent Use of Context-Specific Passwords

Criminals will also attempt to use context-specific passwords to gain access to Active Directory accounts. They know that many employees will include their company or product name in their password. To combat this, companies need the ability to create a filter for a custom password dictionary. Organizations should be able to add custom local passwords that will be screened and blocked at creation. Custom passwords should be partially matched and case insensitive, so any password that includes that word would be blocked.

For example: If your customer password dictionary includes the word "GeneralElectric", users would not be allowed to use that word in any password, so a password like "ILovegeneralElectric" will be blocked.

Summary

Organizations need quick-to-deploy password policy enforcement and daily exposed password screening that is automated to reduce any additional workload on the IT team. Automation allows the IT team to set up the password policies and then just let them run. When an existing password becomes vulnerable, the remediation steps are automated instead of requiring manual intervention by an admin or the helpdesk.

Enzoic's fully automated weak password filtering, fuzzy password matching, password similarity blocking, and custom password dictionary filtering enables organizations to quickly and easily adopt NIST password requirements.



About the Author

Mike Greene

Mike Greene

CEO & GM, Enzoic

Greene currently serves as CEO and General Manager of Enzoic (formerly PasswordPing), a cyber-security company that screens logins for compromised credentials to prevent account takeover and fraud. He is a growth-oriented CEO and General Manager with extensive experience across the organization from product and operations to sales and marketing - in a variety of international high growth companies. Prior to Enzoic, he was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before IDWatchdog, Greene held senior management positions at Symantec, Webroot, Thompson Micromedix, Raindance and Baxter.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.