Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Why Password Hygiene Needs a Reboot

May 17, 2021

In at present’s digital world, password safety is extra vital than ever. Whereas biometrics, one-time passwords (OTP), and different rising types of authentication are sometimes touted as replacements to the normal password, at present, this idea is extra advertising hype than anything.

However simply because passwords aren’t going anywhere anytime soon does not imply that organizations need not modernize their method to password hygiene proper now.

The Compromised Credential Disaster

As Microsoft’s security team put it, “All it takes is one compromised credential…to trigger an information breach.” Coupled with the rampant downside of password reuse, compromised passwords can have a major and long-lasting influence on enterprise safety.

The truth is, researchers from Virginia Tech College discovered that over 70% of customers employed a compromised password for different accounts as much as a yr after it was initially leaked, with 40% reusing passwords that have been leaked over three years in the past.

Whereas the problem of compromised credentials is not precisely new for many IT leaders, they might be shocked to be taught that their makes an attempt to handle the issue usually create extra safety vulnerabilities.

Following are only a few examples of conventional approaches that may weaken password safety:

  • Mandated password complexity
  • Periodic password resets
  • Limitations on password size and character utilization
  • Particular character necessities

A Fashionable Strategy to Password Safety

Given the vulnerabilities related to these legacy approaches, The Nationwide Institute of Requirements and Expertise (NIST) has revised its recommendations to encourage extra fashionable password safety finest practices. On the root of NIST’s most up-to-date suggestions is the popularity that human elements usually result in safety vulnerabilities when customers are compelled to create a password that aligns with particular complexity necessities or compelled to reset it periodically.

For instance, when requested to make use of particular characters and numbers, customers would possibly choose one thing fundamental like “[email protected];” a credential that’s clearly widespread and simply exploited by hackers. One other legacy method that may have an adversarial impact on safety is insurance policies that prohibit the usage of areas or numerous particular characters in passwords. In spite of everything, in order for you your customers to create a powerful, distinctive password that they’ll simply bear in mind, why would you impose limitations round what this might be?

As well as, NIST is now recommending in opposition to periodic password resets and suggesting that corporations solely require passwords to be modified if there’s proof of compromise.

The Function of Credential Screening Options

So, how can corporations monitor for indicators of compromise? By adopting one other NIST suggestion; particularly, that organizations display screen passwords in opposition to blacklists containing generally used and compromised credentials on an ongoing foundation.

This will likely sound easy sufficient, but it surely’s vital to pick out the best compromised credential screening resolution for at present’s heightened risk panorama.

No Substitute for Dynamic

There are quite a few static blacklists accessible on-line and a few corporations even curate their very own. However with a number of knowledge breaches occurring on a real-time foundation, newly compromised credentials are repeatedly posted on the Darkish Net and accessible for hackers to leverage of their ongoing assaults. Current blacklists or ones which are solely up to date periodically all year long are merely no match for this high-stakes setting.

Enzoic’s dynamic solution screens credentials in opposition to a proprietary database containing a number of billions of passwords uncovered in knowledge breaches and located in cracking dictionaries. As a result of the database is mechanically up to date a number of occasions per day, corporations have peace of thoughts that their password safety is evolving to handle the most recent breach intelligence with out necessitating extra work from an IT perspective.

Screening credentials each at their creation and repeatedly monitoring their integrity thereafter can be an vital part of a contemporary method to password safety. Ought to a beforehand secure password grow to be compromised down the highway, organizations can automate the suitable motion—for instance, forcing a password reset on the subsequent log-in or shutting down entry solely till IT investigates the issue.

The Path Ahead

Whereas NIST pointers usually inform finest apply suggestions throughout the safety business, it is in the end as much as safety leaders to find out what works finest for his or her distinctive wants and tailor their methods accordingly.

Relying upon your business, firm measurement, and different elements, maybe a few of the suggestions aren’t acceptable for your small business.

However with the day by day barrage of cyberattacks displaying no signal of abating and often being linked again to password vulnerabilities, it is not simple to think about a corporation that would not profit from the extra safety layer afforded by credential screening.

Discover out extra about Enzoic’s dynamic password risk intelligence and the way it may help reboot your method to password hygiene here.

Posted in SecurityTags:
Write a comment