Traditional password-based security might be headed for extinction, but that moment is still far off.
In the meantime, most of us need something to prevent our worst instincts when it comes to choosing passwords: using personal information, predictable (e.g., sequential) keystroke patterns, password variations, well-known substitutions, single words from a dictionary and – above all – reusing the same password for many different private and enterprise accounts.
What does a modern password policy look like?
While using unique passwords for every account is a piece of advice that has withstood the test of time (though not the test of widespread compliance), people also used to be told that they should use a mix of letters, numbers and symbols and to change it every 90 days – recommendations that the evolving threat landscape has made obsolete and even somewhat harmful.
In the past decade, academic research on the topic of password practices and insights gleaned from passwords compromised in breaches have revealed what people were actually doing when they were creating passwords. This helped unseat some of the prevailing password policies that were in place for so long, Josh Horwitz, Chief Operations Officer of Enzoic, told Help Net Security.
The latest NIST-sanctioned advice regarding enterprise password policies (as delineated in NIST Special Publication 800-63B) includes, among other things, the removal of the requirement for character composition rules and for mandatory periodic password changes. Those are recommendations that are also being promulgated by Microsoft.
As data breaches now happen every single day and attackers are trying out the revealed passwords on different accounts in the hope that the user has reused them, NIST also advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.
The need for modern tools
But the thing is, most older password policy tools don’t provide a method to check if a password is strong and not compromised once the password is chosen/set.
There’s really only one that both checks the passwords at creation and continuously monitors their resilience to credential stuffing attacks, by checking them against a massive (7+ billion) database of compromised credentials that is updated every single day.
“Some organizations will gather this information from the dark web and other places where you can get lists of compromised passwords, but most tools aren’t designed to incorporate it and it’s still a very manual process to try to keep that information up to date. It’s effectively really hard to maintain the breadth and frequency of data updates that are required for this approach to work as it should,” Horwitz noted.
But for Enzoic, this is practically one of its core missions.
“We have people whose full-time job is to go out and gather threat intelligence, databases of compromised passwords, and cracking dictionaries. We’ve also invested substantially in proprietary technology to automate that process of collection, cleansing and indexing of that information,” he explained.
“Our database is updated multiple times each day, and we’re really getting the breadth of data out there, by integrating both large and small compromised databases in our list – because hackers will use any database they can get their hands on, not just those stolen in well-publicized data breaches.”
Enzoic for Active Directory
This constantly updated list/database is what powers Enzoic for Active Directory, a tool (plug-in) that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials.
The solution checks the password both when it’s created and when it’s reset and checks it daily against this real-time compromised password database. Furthermore, it does so automatically, without the IT team having to do anything except set it up once.
Enzoic for AD is able to detect and prevent the use of:
- Fuzzy variations of compromised passwords
- Unsafe passwords consisting of an often-used root word and a few trailing symbols and numbers
- New passwords that are too similar to the one the user previously used
- Passwords that employees at specific organizations are expected to choose (this is accomplished by using a custom dictionary that can be tailored to each organization)
The tool uses a standard password filter object to create a new password policy that works anywhere that defers to Active Directory, including Azure AD and third-party password reset tools.
Can multi-factor authentication save us?
Many will wonder whether such a tool is really crucial for keeping AD accounts safe. “What if we also use multi-factor authentication? Doesn’t that solve our authentication problems and keeps us safe from attacks?”
In reality, password remain part in every environment, and not every authentication event includes multi-factor authentication (MFA).
“You can offer MFA, but until you actually require its use and get rid of the password, there’s always going to be doors in that the attackers can use,” Horwitz pointed out.
“NIST also makes it very clear that authentication security should include multiple layers, and that each of these layers – including the password layer – need to be hardened.”
Do you really need Enzoic for Active Directory?
Enzoic has made it easy for enterprises to check whether some of the AD passwords used by their employees are weak or have been compromised: they can deploy a free password auditing tool (Enzoic for Active Directory Lite) to take a quick snapshot of their domain’s password security state.
“Some password auditing tools take long time to try to brute-force passwords, but attackers are much more likely to start their efforts with compromised passwords,” Horwitz added.
“Our tool takes just minutes to perform the audit, it’s simple to run, and allows IT and IT security leaders and professionals to realize the extent of the problem and to easily communicate the issue to the business side.”
Enzoic for Active Directory is likewise simple to install and use, and is built for easy implementation and automatic maintenance of the modern password policy.
“It’s a low complexity tool, but this is where it really shines: it allows you to screen passwords against a massive database of compromised passwords that gets updated every day – and allows you to do this at lightning speed, so that it can be done at the time that the password is being created without any friction or interruption to the user – and it rechecks that password each day, to detect when a password is no longer secure and trigger/mandate a password change.“
Aside from checking the passwords against this constantly updated list, it also prevents users from using:
- Common dictionary words or words that are often used for passwords (e.g., names of sports teams)
- Expected passwords and those that are too similar to users’ old password
- Context-specific passwords and variations (e.g., words that are specific to the business the enterprise is in, or words that employees living in a specific town or region might use)
- User-specific passwords and variations (e.g., their first name, last name, username, email address – based on those field values in Active Directory)
Conclusion
Time and time again, it has been proven that if left to their own devices, users will employ predictable patterns when choosing a password and will reuse one password over multiple accounts.
When the compromised account doesn’t hold sensitive information or allows access to sensitive assets, these practices might not lead to catastrophic results for the user. But the stakes are much higher when it comes to enterprise accounts, and especially Active Directory accounts, as AD is most companies’ primary solution for access to network resources.