There is no evidence to suggest that data breaches will become less frequent or less serious. In fact, as more of the population now works from home, the risks are increasing. To counter this threat, organizations really need to upgrade their risk management strategy to pinpoint the reasons why and how so many companies and individuals are being successfully targeted by hackers.
Enzoic has recently audited over 1,000 corporate domains and found that nearly 20% of real-world user accounts were weak or compromised, and thus highly vulnerable to attacks and represented a serious cybersecurity risk. The audit findings revealed that of those with unsafe passwords, 10% of those were using weak passwords (found in cracking dictionaries) while 90% were using compromised passwords (exposed in data breaches). This meant that the vast majority of those users’ exact passwords had been exposed.
These vulnerabilities could have led, or may lead in the future, to account takeover, company infiltration, ransomware, or other information security disasters. Even more troubling, what Enzoic’s results reveal is the best-case scenario of how many passwords are unsafe within an average private sector company. If the best-case scenario is that one in five users’ passwords are vulnerable, just imagine how much larger the problem actually is in some organizations.
This type of data helps unpack the reason why there are so many successful cyber-attacks. The short explanation is that passwords that have been compromised are being reused.
Many people don’t understand the techniques used by hackers. Hackers know that even when users don’t reuse exact passwords, they will typically follow simple patterns to create passwords. These include making small modifications to familiar dictionary words, predictable character substitutions, and appending numbers and symbols, to name a few.
For example, passwords like ‘Loveyou#1’ or ‘admin2023’ are easily guessed, despite fulfilling the requirements for character length and variety. Users may make tiny variations, like ‘L0veyou#1’ or ‘adm1n2023’, for their many different personal and work accounts.
The results of Enzoic’s research provide a useful benchmark for your organization’s cyber vulnerability. Let it be a wake-up call to how your smart and capable employees may be using vulnerable and weak passwords every day. It’s also a chance for IT administrators and organizational directors to address the issues of password policy and compromised credentials within their enterprises. Fortunately, there are several resources that can help guide you in improving cybersecurity practices.
The primary resource comes from The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce. NIST contributes to both Federal Information Processing Standards (FIPS) as well as guidance documents and recommendations through its Special Publications (SP) 800-series.
For organizations and IT professionals alike, NIST guidelines and the NIST cybersecurity framework can quickly become the foundation for best practices in cybersecurity. However, while NIST is excellent at providing tips about what practices to leave behind, it does not provide precise solutions. In other words, the guidelines are great for letting folks know what to change, but not necessarily what to change it to.
In the most recent set of NIST password standards, it’s recommended that all organizations screen new passwords against a blacklist. In Section 18.104.22.168, they note that “when processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.” This means that if you’re typing in either a new or an already-established password, there should be a system to scan that password and identify if it’s already been stolen.
Of course, if in the screening process a compromised credential is detected, ideally the user is alerted so that they can take immediate action. NIST suggests not only advising the user of the compromise, but also immediately requiring them to select a new password and informing them of the reason why the change is happening.
NIST guidelines are established as standards. They are suggested as best practices for risk management, but come without specific implementation instructions. For example, how does one go about accessing a password blacklist? How can you make sure that it protects your company, and helps guide your employees towards a better password policy?
Don’t be among the bad password statistics in 2021, consider the simple tools that are available to improve user password behavior and secure your network.
Enzoic’s tools are built specifically to handle NIST standards. They are focused on solutions to contemporary security issues including compromised password detection and remediation.
Enzoic for Active Directory Lite is an extremely useful free audit tool for identifying exactly which accounts are using unsafe passwords. The full Enzoic for Active Directory service aims more towards long-term safety options and better and more tailored blacklists. It keeps bad passwords from being created in Active Directory and automates the process of removing good passwords that become bad. Enzoic draws data from previous breaches, common dictionary words, and company-specific language using both automated processes as well as real, on-the-ground human attention so that breaches are noticed as soon as they occur.