fbpx
Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
    • Enzoic for Active Directory Documentation
  • Company
    • About Us
    • Threat Intel
    • Careers
  • Blog
  • Contact Us
  • Free Trial
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
    • Enzoic for Active Directory Documentation
  • Company
    • About Us
    • Threat Intel
    • Careers
  • Blog
  • Contact Us
  • Free Trial
Considerations for Choosing a Compromised Credential Screening Solution Provider

Questions To Ask When Considering A Credential Screening Solution

Credential screening providers are critical business partners who help mitigate the risks of cyberattacks and choosing the right one can prevent exposure of additional risks.

Depending on how the data is handled, you can introduce more or less risk into your environment. We hope this article is valuable in helping you determine which credential screening provider is right for your organization.

Credential Screening: The Basics

What is the provider’s latency for each type of credential check (P50, P90, P99, and P99.9)? How will this impact the user login experience?

Does the provider rely on password cracking to match against their database?  Cracking more advanced hashing algorithms is not possible when a provider is processing millions of records a day, so how many credentials are they actually matching on?  What percentage is left uncracked?  How do they handle b-crypt and other hard to crack hashes?

If the provider cracks passwords, is your security team comfortable with the risk of cracked passwords being transferred?  Are they comfortable with the responsibility for storing users’ data from other systems to comply with GDPR and other PII laws?

Do they have the ability to allow comparisons with salted or hashed passwords?

Will the solution give you flexibility in your credential screening policy? Meaning if a user’s credentials are compromised, can you handle it in different ways like forced password reset, step-up authentication, etc.? 

Can you integrate the API to be a definitive risk signal in your authentication and fraud prevention policy?

Does the provider provide realistic database numbers?  There are an estimated 3B people with email addresses on the whole planet so there is a finite amount of data that can be reliably sourced without duplication.  Are they inflating numbers and/or including duplicates in their numbers?    

Do they source their data internally or buy the data from another data provider? If they buy the data from another source, do they disclose that to their customers? 

Do they use automated technology for sourcing data? Do they use human threat research, if so how many people?  Do they use a combination of both? 

Does the provider have the capability to interface and/or integrate their screening solution with your IT systems to allow users to seamlessly log in to your organization‘s system in a secure manner?

Does the provider outline API documentation clearly for your team to implement it?  Can your team get access to the technical team in case of issues?

Does the provider check passwords? Full credentials? Both?

What is the provider’s breadth of SDKs and Client Libraries to simplify integration? Java, .NET, etc..

Legal Compliance

Can the provider certify their compliance with all applicable federal, state and local laws, consumer reporting, privacy protection, data destruction and other governing laws?

Does the provider certify that their employees (and any sub-contractors) sign a confidentially and non-disclosure agreement that meets your company‘s requirements?

Can the provider clearly articulate the processes available to your company when a compromised credential is discovered?  

Has the provider been held liable for their business practices in the past? Are they currently facing any active claims?

Data Protection, Privacy and Security Measures

Does the provider have a written Information Security Policy that adheres to known best practices and provides a high level of data protection?

Does the provider have system security in place that fully meets your data security requirements, including communicating and securing data?

Does the provider meet your physical security requirements for securing their own systems that meets current IT security standards?

Does the provider have a written policy that states that personally identifiable information is never resold by them?

Can the provider provide periodic reports verifying data protection procedures are being followed or allow their processes to be audited?

Does the provider’s data breach policy meet your requirements?

Does the provider‘s disaster recovery plan meet your requirements?

Quality Assurance

Does the provider have a documented quality assurance policy and on-going process in place to ensure the highest level of accuracy is maintained?

Ask the provider if their processes have been audited by a certified external organization and the frequency that audits occur.

Business, Financial and Future

Has the provider been in business and have they offered this product last three years?  Are they VC-funded and what is their run rate so you can avoid providers with a limited lifespan?  Or do they operate off of their own revenue sources? 

Does the provider have Errors & Omissions insurance or insurance that meets your company requirements?

Require the provider to fully disclose previous litigation within the last five years and any that occurs while the contract is in place.

Is credential screening core to their business or just something they have as an add-on to other products?

If you have questions about this list or compromised credential screening in general, please contact us at info@enzoic.com

Share this Post

Account TakeoverCompromised Credentialscredential screeningpassword cracking

Search

Browse blog categories

  • Account Takeover (4)
  • Active Directory (4)
  • all posts (34)
  • breach (4)
  • Company News (1)
  • Continuous Password Protection (1)
  • Credential Screening (4)
  • cybersecurity (10)
  • Edtech (1)
  • Financial Services (1)
  • FinTech (1)
  • Gaming (1)
  • GDPR (1)
  • Insider Threats (1)
  • Law Firms (1)
  • NIST 800-63b (3)
  • press release (4)
  • Recognition and Awards (2)
  • Regulation and Compliance (2)
  • tips (7)

Recent tweets

Enzoic (formerly PasswordPing)
13h
Enzoic (formerly PasswordPing)
@EnzoicSecurity

Are PSD2 SCA Options Too Narrow in Scope? On 09/14, PSD2 SCA requirements were introduced in the EU. It helps to better protect customers but why did they not consider lower-customer-friction options? enzoic.com/psd2-sca/ #PSD2 #SCA

Expand reply reply retweet retweet favorite favorite
Enzoic (formerly PasswordPing)
18h
Enzoic (formerly PasswordPing)
@EnzoicSecurity

Join Enzoic's CEO, Michael Greene, at KuppingerCole's Consumer Identity World USA 2019 for the panel discussion on "User-Friendly Login Procedures," Sept. 27, 2019 in Seattle. zcu.io/pnQH #cybersecurity #ATO #fraud

Expand reply reply retweet retweet favorite favorite
Enzoic (formerly PasswordPing)
23 Sep
Enzoic (formerly PasswordPing)
@EnzoicSecurity

Gamers Are Easy Prey for Credential Thieves: Gamers are easy pickings for credential crooks, thanks to lax security hygiene and poor gaming company practices. zcu.io/0RQM @2drinksbehind @threatpost #InfoSec #CompromisedPasswords

Expand reply reply retweet retweet favorite favorite
Enzoic (formerly PasswordPing)
22 Sep
Enzoic (formerly PasswordPing)
@EnzoicSecurity

Forging Effective Security with Password Enforcement. See the full infographic at: enzoic.com/wp-content/upl… #Passwords #CyberSecurity #InfoSec pic.twitter.com/rpQNJARbBs

Expand reply reply retweet retweet favorite favorite
Enzoic (formerly PasswordPing)
22 Sep
Enzoic (formerly PasswordPing)
@EnzoicSecurity

The War for Cyber Talent Will Be Won by Retention not Recruitment: zcu.io/dt9w

Expand reply reply retweet retweet favorite favorite

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • Are PSD2 SCA Options Too Narrow in Scope?
  • New Jersey Data Breach Notification Law
  • 8 Ways to Mitigate Credential Stuffing
  • Enzoic Continues to Grow with Appointment of New Marketing Director
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2019 | Privacy Policy | Acceptable Use

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website