Skip to main content

Back to Blog

State of Password Security: Response Required

Why organizations need to react urgently to the state of password security, according to data from 451 Research

In a recent brief titled “Love ‘em or Hate ‘em, Passwords Are Here to Stay,” 451 Research indicated that despite the stirrings of a passwordless revolution, the widespread use of passwords won’t be changing in the foreseeable future.

The 451 brief points out that passwords are both cheap and low-friction to both user and business processes. Additionally, passwords are familiar; they make people of many ages and levels of tech-savviness feel protected because they chose their own memorable code (no one could guess the password ‘PassWord123!’, right? Wrong.).

Compromised credentials are, in many cases, an entry point for breaches–whether personal account takeover (ATO) or system-wide data exposures–and this represents a concerning vulnerability within many organizations.

NIST guidelines now indicate that strong authentication is constituted by using two out of three factors: something you know (passwords, pins), something you have (phones, hardware) and something you are (fingerprints, facial recognition).

But the 451 research states that even as the use of both phones and biometrics become more common, there are too many challenges for widespread use at the moment: device compatibility, for one–and in urgent situations, it’s not practical to be typing in a pin, then waiting for your phone to be sent a secondary message.

One security option for businesses and enterprises wishing to prevent credential stuffing is multi-factor authentication (MFA). Rather in contrast to password use, MFA does have limitations, including user friction, device compatibility, and cost. 451 research shows that, due to the trickiness in deployment, additional MFA use has only risen 2% over the past three full years.

The research shows that just 53% of the [approximately 1,000] enterprises surveyed have started using MFA at any level, and states that it is likely [though no evidence of this is provided in the report] that of that 53% of enterprises, “MFA is only being used for specific user populations or specific use cases.

Long story short: there are some options to increase general security, but as the rate of adoption is glacial at best, it’s extremely likely that passwords will be considered a default factor of authentication for a long time yet.

But, as it is fortunately becoming common knowledge, passwords are an inherently vulnerable authentication option: they can be guessed, cracked, or stolen, and subsequently used as entry points for threat actors to perpetrate crimes. In fact, the Verizon DBIR reports that “credential theft, errors and social attacks are the three most common culprits in breaches.” This could mean that your Disney+ account gets hacked and your algorithm doesn’t recommend the right shows anymore, or it could mean that your PayPal is drained and someone’s obtained a credit card in your name.

So as credential theft continues to rise, what can be done to ensure password security, knowing that they aren’t going anywhere?

The 451 research brief concludes that “in the interim, then, there are several strategies” for enterprises/organizations to take: the most important and time sensitive choice being to employ the policy of checking passwords against a blacklist of compromised credentials. This solution requires real-time, and continuous, checking of passwords to detect if and when credentials become unsafe.

Enzoic is committed to protecting accounts through compromised password detection in Active Directory (AD) software. Enterprises can use the Enzoic for AD tool to automate password policy enforcement and to comply with NIST password guidelines.

Our plugin includes continuous exposed password monitoring, checking user’s credentials against an ever-expanding, rapidly-evolving blacklist. This allows the perspective to shift: instead of a rule-based approach to password creation (e.g. mandating the use of numbers or special characters), Enzoic monitors from an event-based point of view (tracks if the password has been seen in a data breach).

It’s a logical, cheap, and straightforward solution to harden the password layer. Enzoic works from inside Active Directory, automates the remediation process, and provides both real-time checking and continuous monitoring of the credentials.

As heartening as is it to read research that supports the work Enzoic is doing, it’s inevitably more and more concerning to learn that passwords are becoming more hackable, staying just as common, and new management systems are being adopted at incredibly slow rates. Data breaches happen all the time. Enzoic uses proprietary compromised credential data that is updated every day to keep users and organizations safe.

Due to the terrifying frequency of password reuse (up to 99% of users reuse passwords), every organization functioning in a digital capacity needs to be concerned about leaked credentials—and act fast to protect themselves and their users.