With rapid rate of evolution within technology, why are we still using passwords? The answer lies in the simple, positive attributes of passwords that are not found in other authentication methods: affordable, easy to replace, universally compatibility, privacy safe and no false positive. This closer look highlights the gaps in other methods that will make it hard to get past the password.
NIST suggests passwords should be screened against commonly-used, expected, or compromised passwords. This is intended to ensure passwords are not found in common cracking dictionaries that would make them easy to guess. These checks can occur at account creation and password reset. But then what? How do you know if they are still safe after time?
How many of your users are using insecure and compromised passwords? You may have a standard password strength meter on your site so you may think that your users have secure passwords. Think again. Password strength meters and password complexity requirements are simply not enough.
Billions of user credentials (usernames and passwords) have been exposed publicly over the last few years. The natural question that comes up is “what do cybercriminals do with these stolen credentials?” Well, apart from using them to attempt logins to the breached website itself, the second most common thing cybercriminals will do with stolen credentials is to use them in an attack called “credential stuffing.”