Static Vs. Dynamic
Hardly a day goes by without news of passwords being exposed in a third-party data breach. Once leaked, these credentials are easily available to other hackers via the Dark Web and, thanks to the rampant problem of password reuse, there are a variety of effective attack methods that allow hackers to obtain access to additional organizations’ systems and accounts.
In this environment, the security community is in agreement that it’s critical to protect the password layer. However, the way in which we approach this problem can differ greatly. In this post, we’ll contrast two methods—Enzoic’s dynamic compromised credential screening solution and a more traditional, static approach.
Microsoft Azure Active Directory Password Protection
Azure’s built-in Active Directory password protection product is an example of the latter. A fundamental drawback is that the static solution doesn’t do anything with passwords that have been exposed in prior breaches—a specific requirement outlined in NIST’s most recent guidance. This recommendation is designed to ensure passwords are not found in common cracking dictionaries which would make them easy for hackers to guess and then utilize to breach additional systems and accounts.
Another issue is the size of Microsoft’s common password list, which includes just 500 of the top passwords the company has seen in malicious login attempts. Though Microsoft expands this list by performing permutations and combinations, it still remains woefully small in the face of our ever-evolving threat landscape. Ultimately, because Microsoft’s password protection relies on the company’s own research and analysis, it misses many key areas and can leave an organization vulnerable to attack. These include:
Of course, Microsoft Azure AD Password Protection is not an entirely ineffective solution as it can certainly prevent against password spraying attacks. However, their approach misses many other types of attacks, including brute force, advanced persistent threats, and credential stuffing. Microsoft addresses this by encouraging the usage of MFA in conjunction with the Azure AD Password Protection solution. At Enzoic, we’ve built these considerations into our credential screening solution.
Enzoic for Active Directory
Enzoic for Active Directory is a comprehensive, dynamic solution that provides unparalleled protection at the password layer. Unlike Microsoft’s static list, our solution draws on our proprietary database of multiple billions of unique exposed passwords. Our dynamic list is updated multiple times daily, ensuring that passwords are cross-referenced against data from the most recent breaches and easily addressing NIST’s real-time detection requirements.
Additional benefits of our dynamic approach include:
In addition, the very nature of our dynamic approach ensures that regional differences, use of common passwords, and other shortcomings of Microsoft’s solution are seamlessly addressed.
Password security is a fundamental yet complicated enterprise priority, and additional authentication mechanisms are often required in order to protect sensitive data. But with breaches happening virtually every moment, a dynamic solution that addresses NIST guidelines and cross-references passwords against a continuously updated database is critical to staying a step ahead of hackers.
Click here to learn more about Enzoic for Active Directory and get started with your free trial today.