There is no evidence to suggest that data breaches will become less frequent or less serious. In fact, as more of the population now works from home, the cybersecurity risks are increasing. To counter this threat, organizations really need to upgrade their risk management strategy and cybersecurity program to pinpoint the reasons why and how so many companies and individuals are being successfully targeted by hackers.
Enzoic has recently audited over 1,000 corporate domains and found that nearly 20% of real-world user accounts were weak or compromised, and thus highly vulnerable to attacks and represented a serious cybersecurity risk. The audit findings revealed that of those with unsafe passwords, 10% of those were using weak passwords (found in cracking dictionaries) while 90% were using compromised passwords (exposed in data breaches). This meant that the vast majority of those users’ exact passwords had been exposed.
These vulnerabilities could have led, or may lead in the future, to account takeover, company infiltration, ransomware, or other information security disasters. Even more troubling, what Enzoic’s results reveal is the best-case scenario of how many passwords are unsafe within an average private sector company. If the best-case scenario is that one in five users’ passwords are vulnerable, just imagine how much larger the problem actually is in some organizations.
This type of data helps unpack the reason why there are so many successful cyber-attacks. The short explanation is that passwords that have been compromised are being reused.
Many people don’t understand the techniques used by hackers. Hackers know that even when users don’t reuse exact passwords, they will typically follow simple patterns to create passwords. These include making small modifications to familiar dictionary words, predictable character substitutions, and appending numbers and symbols, to name a few.
For example, passwords like ‘Loveyou#1’ or ‘admin2023’ are easily guessed, despite fulfilling the requirements for character length and variety. Users may make tiny variations, like ‘L0veyou#1’ or ‘adm1n2023’, for their many different personal and work accounts.
The results of Enzoic’s research provide a useful benchmark for your organization’s cybersecurity vulnerability. Let it be a wake-up call to how your smart and capable employees may be using vulnerable and weak passwords every day. It’s also a chance for IT administrators and organizational directors to address the issues of password policy and compromised credentials within their enterprises. Fortunately, there are several resources that can help guide you in improving cybersecurity practices.
The primary resource comes from The National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce. NIST contributes to both Federal Information Processing Standards (FIPS) as well as guidance documents and recommendations through its Special Publications (SP) 800-series, fostering a collaborative environment for public sector and private sector organizations to enhance their cybersecurity posture.
For organizations and IT professionals alike, NIST guidelines and the NIST cybersecurity framework can quickly become the foundation for best practices in data security. However, while NIST is excellent at providing tips about what practices to leave behind, it does not provide precise solutions. In other words, the guidelines are great for letting folks know what to change, but not necessarily what to change it to.
In the most recent set of NIST password standards, it’s recommended that all organizations screen new passwords against a blacklist as part of their security controls. In Section 22.214.171.124, they note that “when processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised.” This means that if you’re typing in either a new or an already-established password, there should be a system to scan that password and identify if it’s already been stolen.
Of course, if in the screening process a compromised credential is detected, ideally the user is alerted so that they can take immediate action. The NIST framework suggests not only advising the user of the compromise but also immediately requiring them to select a new password and informing them of the reason why the change is happening.
NIST guidelines are established as standards. They are suggested as best practices for cybersecurity risk management processes; but come without specific roadmap or implementation instructions. For example, how does one go about accessing a password blacklist? How can you make sure that it protects your company and helps guide your employees toward a better password policy and security framework? Prioritization is crucial in determining which aspects of the cybersecurity framework to focus on first.
Don’t be among the bad password statistics in 2024; consider the simple tools that are available to improve user password behavior and secure your network information systems against cybersecurity threats.
Enzoic’s tools are built specifically to handle NIST standards. They are focused on solutions to contemporary security risks, including compromised password detection and remediation.
Enzoic for Active Directory Lite serves as a free audit resource, adept at pinpointing critical areas of risk within your Active Directory environment. This includes the detection of accounts utilizing vulnerable or breached passwords, instances of password sharing, accounts operating without passwords, and those possessing administrative privileges. A full guide to remediating these issues is included in the Enzoic for AD Lite reports.
The full Enzoic for Active Directory solution aims more towards long-term safety options, automated remediation, and more options for configuration. It keeps bad passwords from being created in Active Directory and automates the process of removing previously secure passwords that become compromised. Enzoic draws data from previous breaches, common dictionary words, and company-specific language using both proprietary tools and a human threat research team that interacts with threat actors to gain access to the broadest set of data as quickly as possible. With the full solution, organizations will enjoy continual automated enforcement of NIST 800-63b and NIST IA-5 standards with one click, providing a comprehensive and robust approach to information security.