Exposed password screening is the process of checking currently used passwords against passwords that have been exposed in a publicly known data breach. Once these passwords are exposed, they are considered to be compromised passwords.
In 2017, the National Institute of Standards and Technology updated the NIST password guidelines, recommending for exposed password screening. Since then, companies and organizations are increasingly implementing compromised password screening as part of their cybersecurity policies.
Why Should We Screen for Exposed Passwords?
Despite their limitations, passwords are still the most common way of protecting our accounts from unauthorized access.
As data breaches have become more prevalent over time, cybersecurity guidelines have been updated in an attempt to make passwords better for protecting accounts and data. While password requirements do vary depending on the organization, the security fundamentals of passwords are largely consistent. For example, complexity rules like the enforcement of lowercase and uppercase letters, along with the inclusion of special characters and numbers are common. Forced password expirations are also common. Users are also regularly instructed to pick a unique password for each account they create.
These attempts to make passwords a more secure method of protecting our accounts can sometimes leave our accounts less secure. The truth is, these rules are great for people with perfect memory who remain alert and vigilant to cybersecurity issues and steadfastly follow security standards. In reality, very few of these people exist and most people have too many passwords that they need to remember.
According to password management software company, LastPass, the average business employee must keep track of 191 passwords.
When users are faced with keeping track of so many passwords and complying with password requirements, they tend to create ways to make their password management easier. They may pick easy-to-remember or common passwords. Or they choose similar passwords by only changing the password slightly for each account or each time they are prompted to make a new password. This is also the reason that password reuse is so alarmingly common and why so many people use a “root password” and just make slight changes to it.
“This behavior is an example of people following the “letter of the law versus the spirit of the law”.
Users are fully compliant with the password requirements and the computer is satisfied that the user has met the security standard. However, the “spirit of the law” has been abandoned in the process because a reused password that is only slightly different from the original password is less secure than a completely new password that doesn’t meet all of these rules.
Cybercriminals know that most people reuse passwords and/or will use a root password with a few variations. They exploit these lax user password habits and will try the password they found online or variations of it to gain unauthorized access to accounts.
When you consider that 81% of company data breaches are due to poor passwords, it’s plain to see how our increasing focus on password complexity simply and forced password resets are not always enough. This doesn’t mean we should do away with all password requirements, but we need to enhance our approach. With the recent advancements, it’s now possible to collect, store, and utilize huge databases worth of bad and exposed passwords to make our personal accounts and workplaces more secure.
This is where exposed password screening comes in.
Bad actors utilize databases of exposed passwords to conduct brute force attacks or credential stuffing attacks. Organizations can use similar databases to screen for exposed passwords and alert users to their leaked passwords. This type of password monitoring is both highly effective and encourages the use of more secure passwords. A user may be able to keep a secure password indefinitely if it is never exposed, and this encourages better password hygiene.