Employee password hardening: Do not just mitigate bad passwords. Eliminate weak and compromised passwords.
Threats to password-based authentication can overwhelm organizations. Because passwords are still the most common way for users to access their account, they invite abuses from bad actors. It is made worse by the security negligence of employees. But hardening employee passwords can be difficult without introducing significant user friction. No wonder so many organizations are struggling to keep their accounts and infrastructure secure.
The traditional ways organizations use to thwart successful attacks on employee accounts are becoming less effective:
- Periodic password resets have been found to make employee passwords less secure. When forced to change their passwords regularly, most employees choose passwords that are simpler or use iterations of old passwords so they can remember them.
- Mandatory complex character strings do not make passwords more secure any longer. Attackers know the common tricks users leverage to add these characters. Attackers have added those variations into their attack methodology.
But now there are new ways for employee password hardening that can also reduce user friction and IT burden.
Old methods can create more challenges and are less effective now.
Organizations have often operated in the blind about whether criminal hackers have obtained compromised passwords that are valid. Apart from the occasional manual checks using static password lists, enterprises have had few options for detecting compromised passwords.
This lack of visibility into password security has led some organizations to mitigate weak passwords by micromanaging access. They use periodic password resets and complex character requirements to try to impede attackers. Those methods of defense are used to protect aging or straightforward passwords that users may select. However, old passwords are not necessarily weak and strong passwords are not necessarily safe. Even organizations that conduct regular periodic password resets cannot control whether criminal hackers steal or guess their credentials in the interim. This means cybercriminals still have an attack window.
The trouble is those old methods that pressure employees to routinely recreate their passwords with complex character strings foster user frustration. As a result, employees often will simply add a single character, usually an exclamation point, to update or obscure the core password they have already memorized. Cybercriminals who have already guessed or found that exposed password, will test it with the typical iterations (like an extra character or leetspeak) and still get into an employee account.
The new method for eliminating weak and compromised passwords can reduce user frustration and IT burden.
These days, organizations need to eliminate bad employee passwords – rather than just mitigate them as they have done in the past. They need tools that check passwords daily against a continuously-updated database of weak or compromised credentials. This is an effective way to secure the password layer of security and support employee password hardening, without creating undue frustration for employees.
Organizations need what we refer to as continuous password monitoring (also known as continuous password filtering or screening), which compares passwords at creation and daily against a robust, real-time database of billions of compromised and bad passwords. Continuous password monitoring negates the need for periodic password resets.
When done correctly, password filtering and monitoring should have zero user experience impact. Employees only need to create new passwords when breaches and exposures compromise their current password. This removes the need for overly complex passwords, and thereby, relieves employee frustration.
Here are a few things to look for when considering continuous password monitoring:
1) Automated response and less manual work from IT.
With continuous password screening, weak and compromised passwords have short lives because when a vulnerable password is found, an automated real-time response should be activated. Organizations no longer need to rely on static password lists that lose their timeliness and effectiveness with every passing day. Organizations can choose to instantly notify Active Directory administrators while prompting users to change their password the next time they use their login credentials. Companies can also elect to immediately and automatically disable user accounts if their policies require it. An automated tool provides less manual work for IT while improving employee password hardening.
2) A secure process for leveraging password comparisons.
In this process of comparing passwords, organizations should keep passwords safe as it checks them against a database. Cracking passwords or having them shared in plaintext is a significant vulnerability. Therefore, Enzoic for Active Directory doesn’t crack passwords nor shares them in cleartext. It checks only partial hashes of passwords and never exposes full passwords or hashes during the comparison process. This is known in cryptography as k-anonymity, and it is vital to use this approach to keep employee password safe.
3) Insight to know what is working and how.
When considering password filtering, employee password hardening, and continuous password screening tools, Active Directory administrators need to have proper analytics. They need to see the total number of detections, including the number of discoveries due to fuzzy matching, local dictionary, or password similarity matching. They also need the ability to pull the logs into log management tools to help streamline reporting.
4) How vulnerable password data is sourced.
Lastly, when considering continuous password filtering for employee accounts, ensure that the vendor you select sources the data themselves rather than relying on a 3rd party list. Some vendors don’t do any research themselves but download free password blacklists off the internet. These password blacklists are a decent start, but they are not typically the lists that attackers are using because they are very public and known. Enzoic’s threat research team updates and maintains its catalog of exposed credentials continuously. It uses dedicated human analysts and advanced automation technologies that perform deep threat research, scouring the Dark Web, the Internet, and otherwise unavailable private resources for breached and exposed passwords.
Harden the employee password.
While many organizations are exploring alternatives to passwords, many experts know that we are not even close to eliminating the password for authentication. Even in organizations that are using other forms of authentication, the back-up method is still the password. Instead of abandoning the authentication technology that is at the core of every account and app, organizations can focus on hardening the employee password.
Start screening for vulnerable passwords rather than spending limited IT resources on help desk tickets for password resets and complexity rules. Organizations now have a sophisticated yet easy-to-implement automated way to eliminate weak, exposed, and breached passwords at their creation and through daily checks with Enzoic for Active Directory.