password hygiene

Password Hygiene: Due for a Cleaning

Every aspect of our lives is touched by the digital world and passwords are one of the most critical issues in cybersecurity. Internet users of all ages and abilities employ passwords without necessarily understanding the process. Why are they being asked to create passwords with specifications like capital letters and only certain symbols?

It’s time for us all to visit a digital dentist. We need to modernize our approach to password hygiene as soon as possible.

Compromised Credentials: The Hidden Culprit

What is a compromised credential? Put simply, it’s a user’s personal information. Often an email and password combination which has been stolen or leaked in some way. Each day, millions of sets of credentials are offered and sold on the dark web. In many cases, the owners of said credentials are entirely unsuspecting.

Coupled with the astoundingly common problem of password reuse, compromised credentials are a core security issue. Even a single set can be the cause of a massive data breach.

This is similar to cavities. You wouldn’t necessarily know you have one until a dentist informs you. Sometimes, you’ve finally made it into the dentist, but it’s too late. It’s time for a root canal.

As dentists are no strangers to cavities, compromised credentials aren’t breaking news for most IT professionals. But imagine if suddenly dentists realized that flossing your teeth could encourage cavities? A reversal of the advice they had been promoting for years. This is akin to a conversation happening in cybersecurity where IT leaders are learning that their attempts to address the problem of compromised credentials have been exacerbating additional vulnerabilities.

The cybersecurity industry is realizing legacy guidelines like complexity requirements, periodic password resets, limitations on password length and character usage, and special character requirements can weaken password security.

The Newest, Data-Driven Recommendations

If all the guidelines we thought were secure are proving to be loophole-creating, what should you do next to stay safe? An excellent first stop is The National Institute of Standards and Technology (NIST), a body that researches and provides recommendations for updated modern best practices for password security.

Recent research cited by NIST revealed that it’s not passwords that are failing us. The hard truth is that we aren’t using passwords to their maximum potential. When people are forced to create passwords with so many arbitrary complexity requirements and then periodically reset them, they create weak passwords, as well as password reuse of ‘good’ ones that satisfy the requirements over and over again.

When users are asked to create a password that has, for example, eight characters minimum, including at least one capital letter, one digit, and one special character, they are most likely to come up with passwords like “Administrator2021!” or “passw0rd%” which feel secure but are actually incredibly easy for hackers to exploit.

In addition, once users have a password they like, it’s tempting to use it across accounts and devices. This just increases the amount of damage a hacker can do once they have access to a single password.

Detecting Compromised Passwords Early

It’s clear that password policies need to be revisited and companies need to take action by actively monitor for any indications of account compromise. Fortunately, there is a very straightforward way to do this: by screening passwords against a blacklist of weak and already compromised passwords on an ongoing basis.

So how do organizations create or find such a list? Even a quick google search will turn out many public lists of compromised passwords. The main issue with static lists, however, is that they don’t respond to the breaches that are happening daily—even hourly—and they don’t reflect any details that could mean increased danger for your company.

A dynamic, constantly updated process like Enzoic’s screening solution allows you to check credentials against a massive ever-evolving database. They pull data from all corners of the web, from lists exposed in data breaches to entire cracking dictionaries, and the database is updated multiple times every day.

Enzoic also has clocked the issue that screening isn’t just important when an individual creates a new password, especially with the increasing frequency of breaches; it’s important to check them continuously. Therefore, Enzoic monitors passwords to detect compromised credentials at all times and alerts users when action needs to be taken.

Organizations of all sizes and in all industries, from healthcare to government, would benefit from instituting credential screening, and ASAP at that. Follow the advice of your dentist, and NIST: brush your teeth; screen your passwords. Stay fresh and clean with password hygiene.