There are many excellent password policy enforcement tools built into Active Directory. However, the out-of-the-box AD functionality does not meet all the password standards and new password policy recommendations from NIST and other regulatory organizations.
What can organizations do regarding password policy enforcement to increase security and decrease user friction, cost-effectively?
More than 21 million passwords appeared in a single collection of data breaches in January 2019, according to Fortune magazine. That is just the tip of the iceberg. That list is small compared to all the credential data that has been breached, leaked, and shared on the public Internet and Dark Web over the past ten years.
Even if the leaked passwords were hashed, there are sophisticated cracking dictionaries that are shared online that can crack the weaker hashing algorithms. With cracking dictionaries, cybercriminals can reverse-engineer poorly hashed passwords into the original password. To exacerbate this issue, many employees demonstrate poor password hygiene. They often choose expected or common passwords, which are easier to crack.
Cybercriminals can then use these weak or breached passwords to infiltrate enterprise networks. Poor employee password hygiene is the main culprit. But part of the issue is that employees often are using bad passwords without even knowing that those passwords are vulnerable or considered bad.
It is the perfect storm for security teams. It is no surprise that organizations find it challenging to keep passwords secure and confidential in this environment. Companies are becoming increasingly concerned as password safety grows problematic, yet passwords remain the most common method for authentication.
How can organizations simplify password security and solve seven of the most frequent password problems? Robust password policy enforcement.
1- Prevent employees from adopting compromised passwords at password set up or password reset.
Employees unwittingly often choose new passwords that are already exposed, and they don’t even realize it. Enzoic for Active Directory screens new passwords while employees are creating them, blocking compromised passwords in real-time. It enables employees to adopt secure passwords from the start.
2- Discover and eliminate exposed passwords on a daily basis automatically.
Many organizations trying to satisfy NIST 800-63b password standards opt to discover compromised passwords through manual comparisons of lists downloaded off the Internet. But because password breaches happen daily, organizations need an automated process that checks all Active Directory passwords against all known compromised passwords every day. A manual process that is updated every quarter or when IT can get around to it, is insufficient and adds an additional burden on IT staff. The IT staff is usually already stretched thin at most organizations, so most organizations are seeking out automated solutions.
Enzoic for Active Directory introduces the concept of Continuous Password Monitoring to automatically screen an organization’s existing passwords with Enzoic’s continuously updated database of billions of compromised credentials daily. Enzoic makes password comparisons secure by using just a partial password hash, never transmitting full passwords or hashes in the process. Enzoic applies robust human and automated intelligence to locate new password exposures and breaches. The automated processes and threat research staff work around the clock, gleaning data from Dark Web sites and forums, the public Internet, and otherwise unavailable private sources.
When Enzoic for Active Directory finds compromised passwords in Active Directory, it triggers an automatic response of the organization’s choice. It can prompt the user to change their password the next time they log in, it can disable the affected account immediately, or it can send alerts to administrators or the helpdesk.
3- Block employees from choosing commonly used passwords.
Employees will also often select passwords that are easy to remember, and they frequently create predictable passwords that follow recognizable patterns. For example, employees may default to word and number combinations that cybercriminals know well, such as Broncos2019 or Password1234. To illustrate how often people select bad passwords, employees can check sample passwords to see if they are weak or compromised on Enzoic’s password checker site.
What is even more surprising is that only 35.3% of U.S. companies check employee passwords against common password lists or password blacklists, according to OneLogin. But as more organizations adopt the NIST password framework, that percentage will be increasing. Enzoic for Active Directory blocks commonly used passwords at the point of creation, so employees make more acceptable choices.
4- Avoid passwords that appear in cracking dictionaries.
Cybercriminals use cracking dictionaries, which can contain millions of exposed passwords and even passphrases, to access Active Directory accounts. They use rainbow tables to accelerate Active Directory hacking.
Enzoic for Active Directory compares passwords at creation and continues to compare passwords against the Enzoic database, which includes many cracking dictionaries. This ensures that employees are not using cracking dictionary passwords discovered by Enzoic’s security threat research team.
5- Do away with forced, periodic password resets.
Password expiration policies frustrate employees, and studies have shown that the practice often leads to the creation of weaker passwords. Even Microsoft is now recommending that organizations end the enforcement of a password policy that forces users to periodically reset their password. Instead, they recommend having methods to determine when passwords are no longer secure and then immediately resetting the password.
When organizations install Enzoic for Active Directory, automated checking identifies immediately when a password is vulnerable, replacing the need for forced quarterly, or periodic password resets. This process prompts users to change their passwords only when criminal hackers have exposed them and leaves the remaining employees unencumbered.
Employees maintain productivity without the confusion, delays, and interruptions associated with scheduled password updates. Organizations will also save IT budget because they will have fewer password-related helpdesk tickets.
6- Remove password complexity.
In keeping with the password rules in NIST Special Publication 800-63b, organizations that have regular screening for compromised passwords in Active Directory can drop the character complexity requirements. These password complexity requirements include the requirement to mix capital and lowercase letters, numbers, and special characters. NIST made this change based on research that showed these requirements made it more difficult for employees to remember their passwords but no harder for hackers. Some organizations are still opting to enforce this password policy, but many are moving away from it in favor of longer passphrases.
7- Enable passwords to keep accounts and data safe.
Almost every organization uses passwords as their primary gating factor for access to corporate resources. Many organizations do not have the time or budget to replace passwords completely. And many of the organizations that are deploying biometric authentication or adaptive authentication still have the password as the back-up mechanism in the case of failure of those other options so it still leaves passwords as a vulnerability that can be exploited by attackers.
Enzoic for Active Directory maintains password strength and secrecy by enabling employees to build and embrace robust passwords. It mitigates the weak link – employees who select and use bad passwords. Enzoic for Active Directory removes password weaknesses, extending the password’s ability to keep accounts and data secure.
Continuous compromised password monitoring in Active Directory is the least disruptive enforcement tool that enhances the organization’s existing Active Directory password policies. It works with existing password policies, so there is no need for the business to retool their other password policies.