Industry Insights with Mike Greene

Access Management , Governance & Risk Management , Identity & Access Management

4 Key Considerations for Employee Password Hardening & Compromised Password Monitoring

Traditional Methods to Thwart Successful Attacks Are Becoming Less Effective
4 Key Considerations for Employee Password Hardening & Compromised Password Monitoring

Threats to password-based authentication overwhelm many organizations. Because passwords are still the most common way to access accounts, they invite abuses from bad actors and negligence by employees. But hardening employee passwords can be difficult without introducing significant user friction to the login process. Additionally, the traditional ways organizations use to thwart successful attacks are becoming less effective.

Old methods can create more challenges and are less effective now.

Organizations have often operated in the blind about whether criminal hackers have obtained compromised passwords that are valid. Apart from the occasional manual checks using static password lists, enterprises have had few options for detecting compromised passwords.

This lack of visibility into password security has led some organizations to mitigate weak passwords by micromanaging access. They use periodic password resets and complex character requirements to try to impede attackers. Those methods of defense are used to protect aging or straightforward passwords that users may select. Even organizations that conduct regular periodic password resets cannot control whether criminal hackers steal or guess their credentials in the interim. This means cybercriminals still have an attack window.

The old methods that pressure employees to routinely recreate their passwords with complex character strings foster employee frustration. As a result, employees often will simply add a single character to update or obscure the core password they have already memorized. Cybercriminals who have already guessed or found that exposed password, will test it with the typical iterations (like an extra character or leetspeak) and still get into an employee account.

But now there are new ways for employee password hardening that can also reduce user friction and IT burden.

The new method of weak and compromised continuous password monitoring can reduce user frustration and IT burden.

Organizations need continuous password monitoring, which compares passwords at creation and daily against a robust, real-time database of billions of compromised and bad passwords. Continuous password monitoring negates the need for periodic password resets.

When done correctly, password monitoring should have zero user experience impact. Employees only need to create new passwords when breaches and exposures compromise their current password. This removes the need for overly complex passwords and thereby, relieves employee frustration.

Here are a few things to consider for employee password monitoring and continuous password monitoring:

1. You need an automated response for less manual work from IT.

Organizations no longer need to rely on static password lists that lose their timeliness and effectiveness with every passing day. With continuous password screening; weak and compromised passwords have short lives because when a vulnerable password is found, an automated real-time response can be activated. An automated tool provides less manual work for IT while improving employee password hardening.

2. You need a secure process for leveraging password comparisons.

In this process of comparing passwords, organizations should keep passwords safe as it checks them against a database. Cracking passwords or having them shared in plaintext is a significant vulnerability. Don't implement tools that crack passwords or shares them in cleartext. Ensure that there are only partial hashes of passwords and never exposes full passwords or hashes during the comparison process. This k-anonymity approach is vital to keep employee password safe.

3. You need the insight to know what is working and how.

When considering password monitoring, employee password hardening, and continuous password screening tools, Active Directory administrators need to have proper analytics. They need to see the total number of detections, including the number of discoveries due to fuzzy matching, local dictionary, or password similarity matching. They also need the ability to pull the logs into log management tools to help streamline reporting.

4. You need to examine how the compromised password data is sourced.

Lastly, consider how the data is sourced. Free password blacklists off the internet are a great first step but criminals are using more fresh and sophisticated data sources to attack. The most common password blacklists are not typically the lists that attackers are using because they are very public and known. A full threat research team is needed to update a database of exposed passwords from the Dark Web, the Internet, and otherwise unavailable private resources. One or two people is simply not enough.

Harden the employee password.

While many organizations are exploring alternatives to passwords, many experts know that we are not close to eliminating the password for authentication. Even in organizations that are using other forms of authentication, the back-up method is still the password. Instead of abandoning the authentication technology that is at the core of every account and app, organizations can focus on hardening the employee password.

Start screening for vulnerable passwords rather than spending limited IT resources on help desk tickets for password resets and complexity rules. Organizations now have a sophisticated yet easy-to-implement automated way to eliminate weak, exposed, and breached passwords at their creation and through daily checks with Enzoic for Active Director.



About the Author

Mike Greene

Mike Greene

CEO & GM, Enzoic

Greene currently serves as CEO and General Manager of Enzoic (formerly PasswordPing), a cyber-security company that screens logins for compromised credentials to prevent account takeover and fraud. He is a growth-oriented CEO and General Manager with extensive experience across the organization from product and operations to sales and marketing - in a variety of international high growth companies. Prior to Enzoic, he was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before IDWatchdog, Greene held senior management positions at Symantec, Webroot, Thompson Micromedix, Raindance and Baxter.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.