Enzoic Navigation
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
Considerations for Choosing a Compromised Credential Screening Solution Provider

Questions To Ask When Considering A Credential Screening Solution

Credential screening providers are critical business partners who help mitigate the risks of cyberattacks and choosing the right one can prevent exposure of additional risks.

Depending on how the data is handled, you can introduce more or less risk into your environment. We hope this article is valuable in helping you determine which credential screening provider is right for your organization.

Credential Screening: The Basics

What is the provider’s latency for each type of credential check? How will this impact the user login experience?

Does the provider rely on password cracking to match against their database?  Cracking more advanced hashing algorithms is not possible when a provider is processing millions of records a day, so how many credentials are they actually matching on?  What percentage is left uncracked?  How do they handle b-crypt and other hard to crack hashes?

If the provider cracks passwords, is your security team comfortable with the risk of cracked passwords being transferred?  Are they comfortable with the responsibility for storing users’ data from other systems to comply with GDPR and other PII laws?

Do they have the ability to allow comparisons with salted or hashed passwords?

Will the solution give you flexibility in your credential screening policy? Meaning if a user’s credentials are compromised, can you handle it in different ways like forced password reset, step-up authentication, etc.? 

Can you integrate the API to be a definitive risk signal in your authentication and fraud prevention policy?

Does the provider provide realistic database numbers?  There are an estimated 3B people with email addresses on the whole planet so there is a finite amount of data that can be reliably sourced without duplication.  Are they inflating numbers and/or including duplicates in their numbers?    

Do they source their data internally or buy the data from another data provider? If they buy the data from another source, do they disclose that to their customers? 

Do they use automated technology for sourcing data? Do they use human threat research, if so how many people?  Do they use a combination of both? 

Does the provider have the capability to interface and/or integrate their screening solution with your IT systems to allow users to seamlessly log in to your organization‘s system in a secure manner?

Does the provider outline API documentation clearly for your team to implement it?  Can your team get access to the technical team in case of issues?

Does the provider check passwords? Full credentials? Both?

What is the provider’s breadth of SDKs and Client Libraries to simplify integration? Java, .NET, etc..

Legal Compliance

Can the provider certify their compliance with all applicable federal, state and local laws, consumer reporting, privacy protection, data destruction and other governing laws?

Does the provider certify that their employees (and any sub-contractors) sign a confidentially and non-disclosure agreement that meets your company‘s requirements?

Can the provider clearly articulate the processes available to your company when a compromised credential is discovered?  

Has the provider been held liable for their business practices in the past? Are they currently facing any active claims?

Data Protection, Privacy and Security Measures

Does the provider have a written Information Security Policy that adheres to known best practices and provides a high level of data protection?

Does the provider have system security in place that fully meets your data security requirements, including communicating and securing data?

Does the provider meet your physical security requirements for securing their own systems that meets current IT security standards?

Does the provider have a written policy that states that personally identifiable information is never resold by them?

Can the provider provide periodic reports verifying data protection procedures are being followed or allow their processes to be audited?

Does the provider’s data breach policy meet your requirements?

Does the provider‘s disaster recovery plan meet your requirements?

Quality Assurance

Does the provider have a documented quality assurance policy and on-going process in place to ensure the highest level of accuracy is maintained?

Ask the provider if their processes have been audited by a certified external organization and the frequency that audits occur.

Business, Financial and Future

Has the provider been in business and have they offered this product last three years?  Are they VC-funded and what is their run rate so you can avoid providers with a limited lifespan?  Or do they operate off of their own revenue sources? 

Does the provider have Errors & Omissions insurance or insurance that meets your company requirements?

Require the provider to fully disclose previous litigation within the last five years and any that occurs while the contract is in place.

Is credential screening core to their business or just something they have as an add-on to other products?

If you have questions about this list or compromised credential screening in general, please contact us.

Other articles:

  • LastPass Selects Enzoic for Compromised Credential Screening
  • Exposure of NIH, WHO, and Gates Foundation Credentials Underscores the Critical Importance of Credential Screening
acccount takeover protectionCompromised Credentialscredential screeningpassword cracking

Search

Assess your cyber vulnerabilities with a free password audit tool
Start Now

Browse blog categories

  • Account Takeover (28)
  • Active Directory (44)
  • all posts (153)
  • Continuous Password Protection (24)
  • COVID-19 (7)
  • Cracking Dictionaries (6)
  • Credential Screening (21)
  • Cybersecurity (66)
  • Data Breaches (31)
  • EdTech (3)
  • Enzoic News (18)
  • Financial Services Cybersecurity (5)
  • GovTech (4)
  • Healthcare Cybersecurity (15)
  • Law Firm Cybersecurity (2)
  • NIST 800-63 (28)
  • Password Security (30)
  • Password Tips (51)
  • Regulation and Compliance (11)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Developer Documentation (APIs)

Recent blog posts

  • Should Your Business Prevent Leetspeak in Passwords?
  • CISA: The Risk of MFA Without Improving Password Security
  • It’s W0rld P@ssw0rd D@y!
  • [ Sign Up for a Free Account ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2022 | Privacy Policy | Acceptable Use

3800 Arapahoe Avenue, Ste 250 l Boulder, CO 80303

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website