How to Vaccinate Against the Poor Password Policy Pandemic

Cyber Security

Data breaches remain a constant threat, and no industry or organization is immune from the risks. From Fortune 500 companies to startups, password-related breaches continue to spread seemingly unchecked.

As a result of the volume of data breaches and cybersecurity incidents, hackers now have access to a vast swathe of credentials that they can use to power various password-related attacks.

One example of this is credential stuffing attacks, which accounted for 1.5 billion incidents in the last quarter of 2020—a staggering 90% increase from Q1 2020.

The rapid pivot to digital in response to the pandemic has been a key contributor to the explosive growth in cybersecurity attacks. With organizations shifting more services online and investing in new applications that facilitate virtual interactions with employees and customers, this has changed the security landscape and presented an array of new avenues for hackers to exploit. However, in a rush to move everything online from meetings, school, shopping, legal proceedings, and healthcare, security was often forgotten or, at best, an afterthought.

With a distributed workforce now a fact rather than a fad, coupled with the rapid adoption of cloud-based applications, organizations can no longer rely on firewalls to secure the perimeter and protect corporate assets. And if they want to derive maximum value from the new digital solutions, they need to rethink their security strategy. To shore up their defenses, they must remediate their password policy.

Many of the problems with passwords result from organizations clinging to archaic practices such as enforced periodic resets and passwords requiring particular character composition rather than known compromised passwords. However, due to the friction with this approach, employees often seek ways to circumvent the policy.

For example, using root passwords where they simply update the unique character or number, which results in weaker passwords, increasing the risk of an organization suffering a breach related to a password problem. It’s time to retire this dated and ineffectual strategy and adopt a modern approach to protect the password layer and mitigate the risks.

Immunity to password threats

Organizations need to accept that suffering a breach is now a matter of when not if. Therefore, businesses must take steps to inoculate themselves from the threat.

By modernizing their password policy and adopting the following steps, they can reduce the risk of a successful attack.

Think exposure, not expiration

Replacing password expiration with password exposure is critical with an increasingly hybrid workforce and, as outlined above, for the friction it incurs. Employees will continue to adopt new digital accounts and access different services online.

Organizations should stop wasting time and resources resetting passwords when the root of the problem is exposure. If a user has a strong, unique password that has not been exposed, there is no business or security reason to insist that it be changed.

Continuously screen for compromised credentials

To counter the vast swathes of compromised credentials available on the Dark Web and internet, organizations must continuously screen to ensure that no exposed passwords are in use. This modern password management approach is the best way to mitigate the risks while simultaneously encouraging productivity and reducing help desk costs.

This provides organizations with immunity when new breaches occur from freshly exposed credentials. By continuously monitoring for exposed credentials, it stops systems from being an easy target for password-based attacks, and these practices are recommended by NIST.

Enzoic has developed an automated solution that enables organizations to identify and prevent the use of compromised credentials. Find out more here.

Make multi-factor authentication (MFA) mandatory

Adopting additional authentication measures adds more layers of protection, reducing the risks of a password attack.

Rather than viewing MFA as a tactic only suitable for financial services organizations, it should be used pervasively as another layer of verification that protects every organization’s systems and data.

Make password hygiene a priority

The rapid growth in ransomware, phishing, and credential stuffing attacks during 2020 highlights that users need help to understand and recognize the new threat landscape. Otherwise, they will continue to fall prey to the creative tactics of cybercriminals.

A crucial part of this process is to educate employees and instill better security hygiene, preventing weak passwords, password reuse, and password sharing.

Poor password practices have become a pandemic, and all of the steps outlined help vaccinate an organization from the risks of compromised credentials. As businesses accelerate the pace of digital transformation, they must, in turn, modernize their password policy and future proof themselves from the risks associated with outdated and ineffectual password strategies.

A dynamic threat intelligence solution like Enzoic can put password security woes in the rearview mirror, allowing organizations to stay a step ahead of cybercriminals. Find out more about how Enzoic is helping eliminate the risks from poor password policy here.