Password compromise should concern every enterprise with even a minimal presence online or just one database. Through password compromise, hackers can easily infiltrate your IT environment, steal sensitive digital assets, or cause potential financial ruin. Moreover, this attack vector serves as one of the most popular among malicious threat actors; and thus one of the most consistently exploited.
What causes password compromise at the enterprise level? How can enterprises prevent it? More ideally, how can enterprises completely circumvent it, preventing hackers from exploiting it in the first place?
We dive into the subject in-depth here.
The Problem with Passwords
There is a particular reason password compromise represents such an issue for enterprises: passwords are inherently weak authentication factors by themselves.
Passwords represent a remnant from the earliest days of identity and access management. In times past, your enterprise could trust employees to safely remember, input, and secure their own credentials when entering your network.
Those days passed long ago. Businesses now operate in a very different identity and access management environment.
For example, according to Julia O’Toole of Mycena, the average user must remember anywhere between 80 and over 90 passwords. Similarly, Dashlane estimates the average to exceed 150—well beyond what enterprises can reasonably expect employees to remember.
Unfortunately, this leads employees to make extremely poor authentication choices. According to SplashData, nearly 10% of users chose passwords identified as one of the 25 worst. Rachael Stockton of LogMeIn found well over half of users repeat their stolen passwords.
Both behaviors represent potential weak spots in your identity security digital perimeter. Furthermore, hackers can employ social media research to discern users’ probable passwords; after all, users put a great deal of their information online. A savvy threat actor could easily find a target’s birthday or family pet—which could reveal their passwords.
This assumes an external threat actor, but an insider threat could easily steal credentials from their fellow employees or users. Plenty of innocent actors write down their passwords in plain sight to avoid forgetting them. Sometimes, users share their passwords with each other to help facilitate workflows. Privileged access solution provider Centrify found 65% of users share their privileged access.
The Basics of Password Compromise
As a rule, hackers can easily guess or crack employee or third-party passwords. Plenty of malicious vendors on the Dark Web sell tools which can automatically decipher passwords—often for cheap.
Additionally, plenty of hackers sell lists of previously compromised credentials, which allows hackers to run credential stuffing attacks. Credential stuffing attacks allow threat actors to brute force their way past single-factor authentication schemes by inputting thousands of possible passwords in rapid succession.
Of course, if the password exists on the list of worst passwords, hackers don’t need more than a few educated guesses to penetrate the network. More experienced hacks can crack all but the most intricate passwords in a matter of hours, if not minutes.
Unfortunately, penetrating the network only represents the first step of hackers’ malicious plans. Once inside, they could easily use your business as a stepping stone for an island-hopping attack, plant a concealed dwelling threat, or laterally move throughout the environment.
Moreover, if your enterprise doesn’t adequately protect against password compromise, hackers can wreak even more damage. If they obtain privileged access credentials, they could access your finances or proprietary data unchallenged. Conversely, they could input disruptive workflow changes or even destroy your IT environment.
Indeed, Centrify discovered 74% of enterprises suffered a breach beginning with a compromised. privileged access account.
So those are the risks of password compromise. How can your enterprise prevent it?
Best Practices Of Password Security
By implementing some reasonable identity and access management best practices, you can help curtail and deter password compromise attempts both external and internal.
No list could encompass all enterprise-level identity security best practices, but we hope this list helps guide your IAM thinking and policies. Be sure to consult with your IT security team as well before implementing the following:
- Explicitly forbid your employees and privileged users from sharing their credentials with anyone, even trusted colleagues.
- Forbid employees from writing down their passwords, either physically or on digital documents. The latter can become compromised more easily than users realize.
- Incentivize identity security through employee reviews—rewarding best practices and marking down failures.
- Incentivize stronger passwords through your minimum password requirements. Whole phrases or sentences actually prove stronger against hacking or guessing than combinations of letters and numbers. Additionally, users tend to remember a sentence more readily than a random jumble of characters.
- Implement a strong password vault or password management to help employees secure and remember their credentials through recognized endpoints and network connections.
- Never allow any default passwords to remain on your IT environment, especially not on IoT devices.
- Deploy a next-generation identity and access management solution on your network which matches your identity security use case.
- For your privileged users, deploy a privileged access management solution to secure their credentials.
To Prevent Password Compromise, Remove the Password
Of course, part of the problem with password compromise is over-reliance on a single factor authentication. Even if you completely switched your passwords with biometric authentication, hackers would still find a way to bypass it as the only barrier to entry.
Therefore, most identity management experts contend enterprises must implement multifactor authentication (MFA) protocols. MFA asks users for different authentication factors before granting them entry. These can include:
- Geolocation of the login request.
- Time of the access request.
- Biometric authentication, physical and behavioral.
- SMS messaging, either email or mobile device message based.
- Hard token authentication.
While this can compromise user convenience by asking for so many factors at once, the improvement to your overall identity management security is certainly worth the cost. Additionally, you can instead implement step-up authentication to create a better feeling of balance.
Step-up authentication asks for different authentication factors as the user requests access for more sensitive digital assets or databases. Users could use password-dependent single sign-on to access their basic job-function necessary assets but then input their biometrics to access higher-level areas.