Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
7 Password Problems Solved by Enzoic Password Policy Enforcement
Reduce IT Burden While Ensuring Enhanced Password SecurityThere are many excellent password policy enforcement tools built into Active Directory. But the out-of-the-box AD functionality does not meet all the password standards and new password policy recommendations from NIST and other regulatory organizations.
What can organizations do regarding password policy enforcement to increase security and decrease user friction, cost-effectively?
The perfect storm of weak passwords
There are billions of breached and leaked passwords on the public Internet and Dark Web. Even if these passwords are hashed, it is easy to crack weak hashing algorithms. Additionally, many people choose expected or common passwords, which are also easy to crack. Cybercriminals can then use these known passwords to infiltrate enterprise networks because most people reuse passwords. Furthermore, employees often are using exposed or vulnerable passwords without even knowing that those passwords are risky.
It is no surprise that organizations find it challenging to keep passwords secure. Organizations are becoming increasingly concerned as password safety grows problematic, yet password remain the most common method for authentication.
How can organizations simplify password security and solve seven of the most frequent password problems? Robust password policy enforcement.7 Password Problems Eased by Enzoic Password Policy Enforcement:
1. Prevent employees from adopting compromised passwords at password set up or password reset.
Employees unwittingly often choose new passwords that are already exposed, and they don't even realize it. Enzoic for Active Directory screens new passwords while employees are creating them, blocking compromised passwords in real-time. It enables employees to adopt secure passwords from the start.
2. Discover and eliminate exposed passwords on a daily basis automatically.
Some organizations trying to satisfy NIST 800-63b password standards opt to discover compromised passwords through manual comparisons of lists downloaded off the Internet. But because password breaches happen daily, organizations need an automated process that checks all Active Directory passwords against all known compromised passwords every day. A manual process that is updated every quarter or when IT can get around to it, is insufficient and adds an additional burden on IT staff. The IT staff is usually already stretched thin at most organizations, so most organizations are seeking out automated solutions.
3. Block employees from choosing commonly used passwords.
Employees will also often select passwords that are easy to remember, and they frequently create predictable passwords that follow recognizable patterns. For example, employees may default to word and number combinations that cybercriminals know well, such as Patriots2019 or Password1234. Only 35.3% of U.S. companies check employee passwords against common password lists or password blacklists, according to OneLogin. There are automated tools that blocks commonly used passwords at the point of creation, so employees make more acceptable choices.
4. Avoid passwords that appear in cracking dictionaries.
Cybercriminals use cracking dictionaries, which can contain millions of exposed passwords and even passphrases, to access Active Directory accounts. They use rainbow tables to accelerate Active Directory hacking. Organizations need to compare passwords at creation and continue to compare passwords against databases updated daily, which includes many cracking dictionaries. This ensures that employees are not using cracking dictionary passwords.
5. Do away with forced, periodic password resets.
Password expiration policies frustrate employees, and studies have shown that the practice often leads to the creation of weaker passwords. Even Microsoft is now recommending that organizations end the enforcement of a password policy that forces uses to periodically reset their password. Instead they recommend screening passwords. By screening for exposed passwords, only employees with exposed passwords are impacted. It leaves the remaining employees unencumbered, which will reduce IT help desk password reset-related tickets.
6. Remove password complexity.
In keeping with NIST 800-63b, organizations that have regular screening for compromised passwords in Active Directory may opt to drop the character complexity requirements (capital/lowercase letters, numbers, and special characters.) NIST advises this based on research that showed these requirements made it more difficult for employees to remember their password but it was not harder for hackers. Some organizations are still opting to enforce this password policy, but many are moving away from it in favor of longer passphrases and password screening.
7. Enable passwords to keep accounts and data safe.
Almost every organization uses passwords as their primary gating factor for access to corporate resources. Many organizations do not have the time or budget to replace passwords completely. Of the organizations that are deploying biometric authentication or adaptive authentication, many still have the password as the back-up mechanism in the case of failure. So, it is still important to secure passwords and password screening removes password weakness.
The Least Disruptive Approach
Continuous compromised password monitoring and weak password filtering in Active Directory is the least disruptive password policy enforcement tool that enhances the organization's existing Active Directory password policies. Since it is automated, it can reduce a lot of IT burden while ensuring enhanced password security.