Have you ever dreamed of a future without passwords? At some point, you probably have. After all, strong passwords aren’t always easy to remember, and it seems like more and more, you need to remember longer, more complex versions. That said, they still remain the most prevalent security tool. Yet many businesses don’t maintain password protection to the degree they should.
Though you can always add security tools or enforce stronger policies to encourage stronger passwords, people tend to avoid rules when possible, so they can be comfortable and use something easy.
To truly protect your organization, and maintain password protection, you need to periodically test these critical keys to ensure their strength.
Let’s take a look at how you can best do so.
Password Reuse and Credential Stuffing
Attackers use stolen passwords in credential stuffing attacks to gain brute-force login access to computers, networks, servers, and applications.
Essentially, they use computer software and algorithms to try password after password, until finally, one of them happens to work.
Recently, the wedding industry site Zola illustrated this exact issue when they suffered a breach from a reused password.
Digital-identification giant Okta estimates credential stuffing accounts for more than 1 of 3 Okta login attempts. This amounts to over 10 billion in the first three months of 2022, alone.
These attacks work because:
- Only 22.5% – 35% of users maintain unique logins for all accounts
- 62% of employees share work-related passwords
- Although 92% of understand the huge risk of using variations of the same password, 65% do it anyway
Sure, you can try to block login attempts from known-bad IP addresses.
However, the FBI now warns of attackers routing credential-stuffing attacks through residential proxies (compromised home offices and private residences).
What does that mean for you? Well, if your employees work from home, their IP address would be allowed, or ‘whitelisted’. That means that if the attack came through an employee’s compromised system, you wouldn’t even be able to block it.
In order to maintain password protection, you’ll need to dig deeper.
Default Password Protection Problems
The reality remains that up to 60% of employees use easy-to-guess passwords.
For instance, a hacker recently bypassed a poorly secured Fast Company WordPress website, expanding access after finding default passwords used on multiple internal systems.
Because default passwords often lurk in Active Directory (AD), on Wi-Fi routers, security cameras, and other Internet of Things (IoT) devices, you should audit your networks to find and eliminate such passwords.
PCI 4.0 Password Requirements
Even as IT security managers struggle with negligent users and hidden default passwords, security standards tighten their requirements. The Payment Card Industry (PCI) released version 4.0 of their Data Security Standards (PCI DSS) that revise authentication and access requirements:
Notably, these requirements stat that:
- All accounts that access card holder data require MFA, not just administrators
- User’s passwords must change every 12 months, or upon suspicion of compromise
- Password minimum length is now 15 characters
- Security must compare users’ passwords against known-compromised passwords
- You review privileged access every 6 months
- You enable vendor accounts only when needed and monitor them when in use
Although AD settings can satisfy some requirements, others only require cursory examination. However, users’ password comparisons to monitor vendor accounts require additional tools or services to accomplish.
Fortunately, if you’re adopting the cloud Azure Active Directory Password Protection, it offers additional protection against weak and known-breached passwords. The feature can be further strengthened by adding custom ‘banned password’ lists.
Additionally, the service can integrate with and protect your local AD.
Hardening Active Directory for Stronger Password Protection
Active Directory controls password security for most organizations. As such, security managers need to check the defaults and settings to prevent abuse.
- By default, ms-DS-MachineAccountQuota was set to ‘10’. This would allow non-administrators to add up to 10 computers to a domain. To prevent attackers from adding their own devices, this should be set to ‘0’
- Although ‘Enforce password history’ is often set at 24, minimum password age is often ‘not set.’ Users can abuse this option to enter new passwords repeatedly, until they can reuse their old password in the system, once again.
Microsoft’s best practices recommend that ‘minimum password age’ should be set to prevent abuse (Ex: 30 minutes, one day, etc.).
- Account lockout threshold may be set to ‘0.’ This would allow unlimited credential stuffing attacks.
To counter this, you should adjust the ‘account lockout threshold,’ ‘reset account lockout counter after,’ and ‘account lockout duration’ policies to numbers that would allow users to make a few mistakes, but also prevent credential stuffing.
For example: 3 attempts within 3 minutes, followed by a 15 minute lock-out period.
Proving Strong Passwords
Even the most hardened IT environment can be undermined by weak passwords. If you don’t use a password-checking tool, such as Azure AD Password Protection, you should use password cracking tools or penetration testing services to verify the password strength in your environment.
We get it. It’s not easy to maintain strong password protection policies. It can be frustrating to deal with so many accounts in today’s modern world, especially if you use unique, complex passwords for each account.
Unfortunately, it also remains the best way to keep your business protected from an unexpected attack. Enforcing strong password hygiene isn’t always easy, but it is worth it.
Make use of proper security settings, and incorporate the use of password managers to help ease any frustrations along the way.
Or, if you’re simply searching for some help from professionals, help is only a phone call (or mouse click) away.
Ideal Integrations, with the support of our cyber security division Blue Bastion, can help. Just contact us at 412-349-6680, or fill out the form below, and our experts can detail options to maintain stronger password protection for your business, today.