Solving the Password Problem in Education

The education sector is a prime target for credential attacks and password reuse is rampant. So, we took some time to talk with one of our customers (a large private university) about how our solution has enabled them to shore up their defenses and reduce the risk from compromised credentials.

Tell us about your situation.

Higher education is similar to a decentralized company with many different populations and diverse needs. Our community spans students straight from high school to alumni that graduated decades ago spread across the globe. As a result, passwords remain an effective and affordable authentication solution. However, to keep our systems secure we determined we needed a way to prevent the use of compromised credentials.

Our in-house Cyber Threat Intelligence (CTI) team helped validate the magnitude of the password problem by showing the tactics, techniques, and procedures bad actors were actually using to target the university every day. Insights from the team highlighted that compromised credentials were a consistent vector hackers were exploiting and previously exposed passwords from major breaches were active in our environment.

Talk about the evaluation process and why you chose Enzoic.

We wanted a very secure and easy to use solution to detect when university passwords were exposed. We did a thorough examination of Enzoic’s data and found they had more recent credentials from data breaches than others.

Another critical requirement was keeping third parties involved with the solution at arm’s length due to the risk of supply chain attacks, as the SolarWinds attack highlighted! Our evaluation involved a review of the Enzoic’s SDK code we’d be using. We were pleased that it was open source. We also liked their password hash comparison method. Unlike others, theirs used a single-blind approach. All of these factors made Enzoic the perfect choice.

Describe some of the ways the solution is being used.

We recently introduced a single sign-on (SSO) system with ForgeRock. Given our CTI team’s findings around credential attacks, it was vital that we add password screening.

We also integrated Enzoic with our emergency shutdown process called the Big Red Button. The intelligence from Enzoic notifies us if a password is compromised. This allows us to immediately shut down the account, scramble the password and disconnect all active sessions. It was a game-changer for our university cyber teams to have that feature available.

How much training was required to get your teams up to speed?

The solution is easy for everyone involved and minimal time was required to train our helpdesk teams. From a technical perspective, the APIs are straightforward and, coupled with the excellent documentation, it was a pain free process.

What are your future plans?

We want to focus our limited cybersecurity resources in the right places. We know that’s on people and behaviors – and that means passwords. Our plan is to roll out the SSO solution from ForgeRock across the entire university ecosystem. This will allow us to get Enzoic’s password screening to the largest number of departments with the least friction.

How would you summarize the Enzoic solution in under 30 seconds?

Protecting against password attacks is essential to the safety of our university. Enzoic makes that simple. It’s an excellent service that’s saved our butts quite a bit!