eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
According to the recently released 2021 Version Data Breach Investigations Report, compromised credentials are one of the most sought-after hacker targets—ahead of bank, medical, and even personal data.
The pandemic doubtlessly contributed to putting credentials into hackers’ crosshairs. For example, the shift to remote working led to the creation of multiple new digital accounts, while industries such as grocery, retail, and banking invested more heavily in digital services. These factors combined provide bad actors with ample opportunity to attack sites and use these newly leaked credentials to victimize more organizations.
So, is your organization doing enough to keep credentials safe? To answer that question, you must first understand the primary drivers of credential security:
-
- Poor Password Practices: As a general rule, people understand the importance of creating strong, unique passwords for every online account. However, typically these considerations are outweighed by a desire for convenience and efficiency and inability to remember complex passwords—particularly in today’s age of multiple online accounts and services. While organizations may be tempted to address credential vulnerabilities by enforcing complex password requirements, this is actually a poor security practice for numerous reasons. Chief among these is the fact that human errors often lead to security vulnerabilities when employees are required to create a password that aligns with specific complexity requirements. For example, a basic phrase such as “P@ssword1!” might check all the boxes from a compliance perspective. However, it is clearly a weak password that is guaranteed to exist on a list of exposed credentials available to hackers on the Dark Web.
- Password Reuse: Another factor underpinning credential security is the pervasive problem of password reuse. Ninety-one percent of respondents in one survey acknowledge the inherent risks of using the same password across multiple accounts, but 59% admit to doing it anyway. What’s more, 62% of employees are reusing the same password for both work and personal accounts. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. And with new breaches occurring virtually every day, this threat is continuously growing. To put the problem into context, in the first quarter of 2021, our database picked up an average of 862 million credentials per month—equating to approximately 300 breached credentials every second.
- Default Passwords: The enterprise is growing increasingly connected and reliant on edge computing and the IoT. Case in point, by 2029 Gartner expects that more than 15 billion IoT devices will be connected to enterprise infrastructure. While these trends bring various benefits, they also introduce new credential security concerns because many of these devices are shipped with default passwords as standard. Unless companies update these credentials and take steps to monitor their integrity on an ongoing basis, they are leaving open a gaping security vulnerability that hackers will only be too happy to exploit.
Compromised Credential Screening Offers Password Peace of Mind
Given that hackers are increasingly targeting credentials as a means to compromise the next organization, it’s critical that companies modernize their approach to password management. The National Institute of Standards and Technology, or NIST, has issued new recommendations to help enterprises do exactly that. A key component of their new guidance is that companies verify that passwords are not compromised before being activated and on an ongoing basis.
How can you do that, you may ask? There are numerous static blacklists of exposed credentials available online and some organizations even curate their own. But to truly ensure password security, companies need a dynamic, automated credential screening solution that can keep pace with today’s barrage of cyberattacks.
Enzoic’s proprietary credential screening solution screens all proposed passwords against our dynamic database containing multiple billions of passwords exposed in data breaches and found in cracking dictionaries. In today’s heightened threat landscape, it’s highly likely that a password may be secure at its creation but become compromised down the road. For example, 12% of the exposed credentials Enzoic picked up in the first quarter of the year were new, unique passwords we had not seen before. This underscores the importance of having an automated approach to ensuring the integrity of existing passwords on a daily basis, rather than simply relying on a static list of exposed credentials. Our database is automatically updated multiple times per day, ensuring that companies’ password security reflects the latest breach intelligence without adding additional work from an IT perspective.
Premium Password Security, Zero User Friction
Another benefit of our modern approach to credential screening is that password checking happens entirely in the background. Uncompromised employees gain efficient access to their accounts without adding additional steps or device requirements, such as is the case with multi-factor authentication, one-time passwords, or other authentication mechanisms that introduce additional friction. Should a previously secure password become compromised down the road, organizations can automate their response, whether it’s forcing a password reset or using an existing secondary authentication method to verify the employee’s identity.
Password Security is a Corporate Responsibility
Your employees may be responsible for password creation but ensuring the integrity of these credentials is ultimately an enterprise obligation. Hackers rely on peoples’ poor password practices to continue to victimize more organizations, and it’s unrealistic to expect the latter to change their approach to password management. But by deploying Enzoic’s dynamic password threat intelligence, companies can safeguard passwords, protect their networks and fight back against credential attacks—all without impacting employee efficiency and productivity.