Think your enterprise password policy is keeping your organization secure from attack?
Since 2005, more than 11.6 billion enterprise accounts have been breached through various types of attacks, including malware, phishing, and credential stuffing. These accounts frequently end up for sale on the dark web, where they are used to gain unauthorized access to organizations and websites.
So much for enforcing strong passwords and mandatory password changes.
As employees are likely to get careless and reuse passwords across multiple websites and applications, your organization’s risk of compromise increases dramatically—notwithstanding your enterprise password policy.
While a strong password policy can help protect your organization, clearly more needs to be done to address the potential threat. Are there better ways to prevent employees’ credentials from being compromised and made available for sale on the dark web?
NIST recommends scanning for compromised passwords
The National Institute of Standards and Technology (NIST) thinks so.
NIST has published new recommendations to address the concern of evolving password attacks. NIST Special Publication 800-63B recommends organizations actively check for exposed passwords “against a list that contains values known to be commonly-used, expected, or compromised”.
This list could include:
- Passwords obtained from previous breaches
- Dictionary or common words
- Repetitive or sequential characters
- Context-specific words, such as the name of the service or the username
The challenge lies in finding a list—how do you know if it’s accurate and current enough to give you confidence that widespread compromise of your employees’ credentials hasn’t occurred?
If you have to ask that question, then you already know the answer. A static list downloaded from the internet won’t be updated in real-time, and therefore isn’t adequate. Don’t expect to find that data leaked by the “Shiny Hunters” group on a list you downloaded 3 months ago.
Not to mention that in order to keep that list current, you’ll need to regularly update it on a manual basis—a time consuming and inefficient process at best.
Thankfully, there’s a much easier way to comply with the requirement of NIST 800-63B—a password management solution.
Dashlane can monitor for compromised passwords
An enterprise-class password management solution like Dashlane should offer the ability to actively monitor the dark web and alert you when any employee’s credentials or passwords have been compromised.
Specifically, your password management solution should perform the following:
- Scan billions of stolen credentials and passwords exposed on the dark web
- Update the list daily with any new credentials and passwords obtained from data breaches
- Send automatic alerts so you can immediately protect your employee accounts
Using some of the same techniques that allow threat actors to compromise and sell user credentials and passwords, a password management solution is able to determine what is being bought and sold on the Dark Web on behalf of your employees.
Not every breach can be resolved in the same fashion, but there are a few things you can do to protect your organization further:
- Change the passwords for any accounts that are flagged in the dark web notification
- If these passwords are used anywhere else, be sure to update the other accounts as well
- Don’t re-use previously compromised passwords identified by your password management solution
- If your employees use a corporate credit card, those companies often have their own fraud detection services, so if the account shows up in a breach contact the credit card company directly
How to get started
Other steps to consider are enabling two-factor authentication (2FA) if you haven’t already. With more employees working from home due to the COVID-19 pandemic, 2FA adds an extra layer of protection to ensure a network breach doesn’t occur due to careless or poor password hygiene.
Above all, consider the importance of dark web monitoring for all your employee credentials and passwords. Use your password management tool to scan the dark web for leaked information and get alerts so you always stay in the know about any potential malicious activity or unauthorized breaches of your organization.