Enzoic Navigation
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Enzoic APIs
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
  • PRODUCTS & SOLUTIONS
    • PRODUCTS
      • Enzoic for Active Directory
      • Active Directory Lite
      • Enzoic APIs
      • Breach Monitoring
    • SOLUTIONS
      • ATO Protection
      • NIST Password Compliance
    • INDUSTRIES
      • Hospitals & Healthcare
      • Government
      • Education
      • Financial Service
  • RESOURCES
    • CONTENT
      • Resource Hub
      • Blog
      • FAQ
      • Case Studies
      • Videos
    • DEVELOPERS
      • Support
      • Active Directory Tech Docs
  • COMPANY
    • OVERVIEW
      • About Us
      • Security
      • Threat Intel
      • Newsroom
      • Partners
      • Careers
      • Contact Us
  • PRICING
  • LOGIN
  • SIGN UP
NIST guidelines

Benefits of NIST Guidelines in Real-World Solutions

There is no evidence to suggest that data breaches will become less frequent or less serious in 2021. In fact, as more of the population now works from how the risks are increasing. To counter this threat, organizations really need to upgrade their risk management strategy to pinpoint the reasons why and how so many companies and individuals are being successfully targeted by hackers.

Enzoic has recently audited over 1,000 corporate domains and found that nearly 20% of real-world user accounts were weak or compromised, and thus highly vulnerable to attacks and represented a serious cybersecurity risk. The audit findings revealed that of those with unsafe passwords, 10% of those were using weak passwords (found in cracking dictionaries) while 90% were using compromised passwords (exposed in data breaches). This meant that the vast majority of those users’ exact passwords had been exposed.

These vulnerabilities could have led, or may lead in the future, to account takeover, company infiltration, ransomware, or other information security disaster. Even more troubling, what Enzoic’s results reveal is the best-case scenario of how many passwords are unsafe within an average private sector company. If the best-case scenario is that one in five users’ passwords are vulnerable, just imagine how much larger the problem actually is in some organizations.

This type of data helps unpack the reason why there are so many successful cyber-attacks. The short explanation is that passwords that have been compromised are being reused.

Many people don’t understand the techniques used by hackers.  Hackers know that even when users don’t reuse exact passwords, they will typically follow simple patterns to create passwords.  These include making small modifications to familiar dictionary words, predictable character substitutions, and appending numbers and symbols, to name a few. 

For example, passwords like ‘Loveyou#1’ or ‘admin2020’ are easily guessed, despite fulfilling the requirements for character length and variety. Users may make tiny variations, like ‘L0veyou#1’ or ‘adm1n2020’, for their many different personal and work accounts. 

The results of Enzoic’s research provide a useful benchmark for your organization’s cyber vulnerability. Let it be a wake-up call to how your smart and capable employees may be using vulnerable and weak passwords every day. It’s also a chance for IT administrators and organizational directors to address the issues of password policy and compromised credentials within their enterprises. Fortunately, there are several resources that can help guide you in improving cybersecurity practices. 

The primary resource comes from The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce. NIST contributes to both Federal Information Processing Standards (FIPS) as well as guidance documents and recommendations through its Special Publications (SP) 800-series.

For organizations and IT professionals alike, NIST guidelines and the NIST cybersecurity framework can quickly become the foundation for best practices in cybersecurity. However, while NIST is excellent at providing tips about what practices to leave behind, it does not provide precise solutions. In other words, the guidelines are great for letting folks know what to change, but not necessarily what to change to. 

In the most recent set of NIST password standards it’s recommended that all organizations screen new passwords against a blacklist. In Section 5.1.1.2, they note that “when processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.” This means that if you’re typing in either a new or an already-established password, there should be a system to scan that password and identify if it’s already been stolen.  

Of course, if in the screening process a compromised credential is detected, ideally the user is alerted so that they can take immediate action. NIST suggests not only advising the user of the compromise, but also immediately requiring them to select a new password and informing them of the reason why the change is happening. 

NIST guidelines are established as standards. They are suggested as best practices for risk management, but come without specific implementation instructions. For example, how does one go about accessing a password blacklist? How can you make sure that it protects your company, and helps guide your employees towards better password policy?

Don’t be among the bad password statistics in 2021, consider the simple tools that are available to improve user password behavior and secure your network.

Enzoic’s tools are built specifically to handle NIST standards. They are focused on solutions to contemporary security issues including compromised password detection and remediation.

Enzoic for Active Directory Lite is an extremely useful free tool for identifying exactly which accounts are using unsafe passwords. The full Enzoic for Active Directory service aims more towards long term safety options and better and more tailored blacklists. It keeps bad passwords from being created in Active Directory and automates the process of removing good passwords that become bad. Enzoic draws data from previous breaches, common dictionary words, and company-specific language using both automated processes as well as real, on-the-ground human attention so that breaches are noticed as soon as they occur.

NIST Password Guidelines

Search

Assess your cyber vulnerabilities with a free password audit tool
Start Now

Browse blog categories

  • Account Takeover (28)
  • Active Directory (44)
  • all posts (159)
  • Continuous Password Protection (24)
  • COVID-19 (7)
  • Cracking Dictionaries (6)
  • Credential Screening (21)
  • Cybersecurity (66)
  • Data Breaches (31)
  • EdTech (3)
  • Enzoic News (18)
  • Financial Services Cybersecurity (5)
  • GovTech (4)
  • Healthcare Cybersecurity (15)
  • Law Firm Cybersecurity (2)
  • NIST 800-63 (28)
  • Password Security (30)
  • Password Tips (51)
  • Regulation and Compliance (11)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Developer Documentation (APIs)

Recent blog posts

  • Back to Basics: IDSA Trends in 2022 are all about Preventable Cyber Incidents
  • Active Directory is an Active Vulnerability 
  • The Biggest Takeaway from the 2022 Verizon DBIR
  • [ Sign Up for a Free Account ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2022 | Privacy Policy | Acceptable Use

3800 Arapahoe Avenue, Ste 250 l Boulder, CO 80303

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website