SANS Compromised Credentials

SANS Analyst Program, “Fighting Back Against Compromised Credentials”

Analyst Paper Summary

“In our evaluation of Enzoic, we found that it supports all of the must-haves that typical security teams would want.” – Jake Williams, SANS 

A recent first look paper written by Jake Williams for the SANS cyber security institute outlines the main issues surrounding compromised credentials and preventative measures companies can take. 

In the paper and an accompanying webcast, Williams discusses Enzoic from an evaluative point of view. He centers on the importance of privacy (and keeping passwords hashed), the need for flexible features, and the minimal impact of Enzoic tools on the user experience. 

It’s no secret that despite digital literacy being high, users in all industries still choose weak passwords, or reuse their favorites for many accounts. Auditing passwords is a reactive measure to poor password security, and as cyber attacks continue to soar in frequency, finding a more proactive and defensive tool is an urgent matter. 

Williams agrees: that a tool that not only identifies compromised credentials but actively prevents them from being in the system in the first place is a crucial step toward a more holistic cyber hygiene. 

Fortunately, Enzoic meets this need. 

According to Williams, for a password security tool to be maximally effective, it must be “scalable, flexible, and privacy-preserving.” More specifically, it should:  

  • Prevent users from reusing a previously compromised password
  • Continually audit in-use passwords 
  • Differentiate between password-only and full-credential compromises 
  • And support response options that can be used with remote workers

The white paper goes on to state several other requirements and how Enzoic services erase many concerns around password security. Enzoic of Active Directory scans for compromised passwords and credentials at creation and on an ongoing basis by using a constantly-updated proprietary database of blacklisted passwords. 

Download the full paper here.