Skip to main content

Despite compromised credentials being the source of the vast majority of data breaches, passwords aren’t going anywhere—which means it’s time for businesses to take internal policies, including those within Active Directory, seriously, according to a recent S&P Global Market Intelligence Business Impact Brief.

“Hard to remember and easy to defeat” — that’s the classic take on passwords, and it has been in the cybersecurity industry for the past few years now.

So why aren’t we leaving them behind?

Passwords can present security risks, but they’re not going anywhere, at least on a large scale, any time soon. Due to factors like simplicity and cost, all industries with any kind of digital presence rely on passwords to provide clients and customers access to their own information. According to the brief, passwords are also sticking around because the alternatives just aren’t as seamless; MFA ruffles user feathers when it comes to ease, protocols get in the way, and not everyone has the access to or knowledge base for tools like VPNs.

When ranked against the other most common authentication methods, a credential combination of usernames and passwords was the most prevalent at 58%. Mobile two-factor authentication (2FA) and SMS-based 2FA came in at 47% and 40% respectively. Biometrics (like fingerprints, or facial recognition) account for just over 30% of authentications, and hardware-based one-time passwords (OTPs), smart cards, and other hardware-based keys all ranged between 24-27%.

451 password authentication

For most businesses, the ubiquitous nature of passwords requires hardened password policies.

If a company’s password policies haven’t been revisited in the last few years, they’re due for a refresh. NIST and CISA guidelines have changed in response to cyberattacks and patterns and the requirements for good password hygiene have shifted.

NIST standards now outline that companies should:

  • Drop many of the arbitrary complexity requirements
  • Remove periodic password resets
  • Screen for compromised credentials on a continuous basis

“Most successful breaches involve stolen or compromised credentials and the escalation of privileges via lateral movement.”

Securing credentials is often seen as a privileged access management problem, but securing credentials upfront can stop the problem before it’s able to spread, according to the brief.

Bear in mind that organizations of all kinds use Active Directory (AD), and it’s become a classic target for threat actors. Unfortunately only about a quarter of firms use third-party security tools to protect AD, according to S&P Global Market Intelligence. The security settings that come with AD are not only well known to threat actors, they simply aren’t enough to protect an organization’s crown jewels. To meet NIST requirements, businesses must have additional security for AD in place.

Businesses should consider strengthening their password policies by investing in continuous credential screening, in order to remediate compromises as soon as they are detected.

Read the full analyst report.