Skip to main content

Back to Blog

Trusting Passwords: Best Practices for Threat-Proofing Credentials

“Open, Sesame!”

Upon reflection it’s easy to see that passwords have an incredibly long history: from shibboleths to military codes, they’ve been used in many situations to preserve privacy and identity.

With the creation of computing technology, passwords became ubiquitous, and were codified in the digital world as strings of characters—numbers, letters, and symbols. Much like their historical counterparts, they were implemented to help with security, control access, and prevent theft.

Now, passwords are used in practically every industry that relies on digital technology, from point-of-sale systems to elementary school IT networks. Despite the growing pool of alternative security options (biometrics like fingerprint scanning or voice recognition; multi-factor authentication), it’s clear that passwords are here to stay.

In fact, 80% of respondents in a recent Enterprise Management Associates (EMA) survey indicated using passwords in their organization to enable access to business devices and data. The next most commonly used security authenticator are PINs—which are, arguably, a type of password—at 56%.

But there’s a problem. According to the EMA research over 60% of organizations experience a security breach each year. And of course, “reported incidents of password violations only represent breach incidents that have been detected,” meaning that the number of breaches occurring is possibly even higher in reality. How does this happen?

Traditional methods of password management are arguably the weakest link in standard business security because there is no mechanism in place for making sure that credentials haven’t been compromised.

To give an on-the-ground analogy, let’s say you have two keys to your house. You keep one with you all the time, and the other, you might leave under the front mat for emergencies. But, obviously, someone could go by your home while you were out, and find the key, and enter. And you wouldn’t know, because there was no system in place to alert you that the key had been moved.

The consequence of someone entering your house is pretty obvious: they could rob you. The consequences of security breaches, though slightly more abstract, are exactly the same. In fact, according to the EMA research, a staggering 90% of businesses that experienced a security breach suffered significant consequences as a result.

Categorically, businesses reported loss of revenue, damage to company reputation, and loss of customers – as well as server failure and other unexpected costs. These repercussions occur frequently, some of them making it to the news.

Password policy violations occur most frequently when users cut corners in order to access services more quickly. Most often this looks like using similar passwords across multiple accounts, but also the sharing of passwords for the sake of convenience, or even physically writing down a password. All of these behaviors decrease the efficacy of passwords as a whole, making it easier for bad actors to abuse organizations and individuals.

According to EMA research, password reuse specifically is one of the biggest challenges. (Imagine having one single key for your home, but the same key starts your car, and opens your safe deposit box. If that one key gets lost or stolen, your house, car, and savings are all at risk.) Users are often gently deterred from employing identical passwords across multiple accounts, yet it is the most frequently violated password policy.

The reality is that traditional password practices are no longer secure. They rely on outdated algorithms that rely on arbitrary complexity requiring a mix of numbers, characters, symbols; but these are precisely the type of strings of information that are hard for people to recall. So, for our own sake, we choose easy passwords that just-barely satisfy the requirements – and we seem to come up with passwords like ‘passw0rd1!’ thinking that a computer couldn’t crack it.

EMA research notes that it is common for users to employ a ‘root word’ from the dictionary or their personal lives for multiple passwords. The root word is appended with additional characters to make it appear just different enough during password resets (think turning ‘password123’ into ‘Password2020!’). While this approach allows the user to meet the traditional requirements for password uniqueness, the systems are easily broken by today’s more sophisticated attack methods, which involve programs guessing millions of combinations of characters in seconds flat.

It’s worth noting that people aren’t necessarily ‘at fault’ here (it’s hard to memorize complicated and unique sets of information!) but that said, both individuals and enterprises are responsible for our actions, and we have to do better.

Change is Good

One welcome change to the world of password security was the most recent NIST password guidelines. They recommend organizations move away from the traditional password requirements and instead employ systematic credential verification checks to ensure passwords have not been compromised. Additionally, NIST recommends users only be required to reset passwords in the event that credentials have been detected as compromised, not on an arbitrary, routine schedule.

EMA research demonstrates that, besides changing human nature or neurology, the only real solution to password security is to enable real-time detection of breached credentials. If a user wants to choose a password, it should be immediately checked against a given blacklist of compromised passwords.

Websites that publish and sell stolen credentials must be continuously monitored, and if compromised credentials are detected, immediate action should be taken. EMA recommends that, if a breach is detected, alerts be sent to IT managers and breached user accounts be disabled until they can be reset.

Indeed, according to EMA survey respondents who are responsible for purchasing identity and access management solutions, the most important platform feature today is the ability to perform credential screening.

How can we stay safe?
While Microsoft’s Active Directory is one of the most prevalent solutions for network device management, it was never designed to scan the recesses of the dark web. Instead it relies on internal algorithms and a company-maintained list of banned passwords.

Enzoic for Active Directory, on the other hand, has been purpose-built to provide continuous protection by ensuring constant monitoring of leaked credentials. It works seamlessly as a plugin for AD, so that the user experience is barely changed–it’s just dramatically safer. EMA “recommends all organizations reliant on password-based access controls adopt a responsible password evaluation solution, such as Enzoic for Active Directory, to establish confidence in the security of their IT environments.”

It’s an easy step to take in the direction of online security. Keeping your key under your doormat isn’t a safe choice, but screening your password is.