Weak password policies leave organizations vulnerable to attacks. But are the standard password complexity requirements enough to secure them? 83% of compromised passwords would satisfy the password complexity and length requirements of compliance standards. That’s because bad actors already have access to billions of stolen credentials that can be used to compromise additional accounts by reusing those same credentials. To strengthen password security, organizations need to look beyond complexity requirements and block the use of compromised credentials.
Need stolen credentials? There’s a market for that
Every time an organization gets breached or a subset of customers’ credentials is stolen, there’s a high possibility all those passwords end up for sale on the dark web. Remember the Dropbox and LinkedIn hack that resulted in 71 million and 117 million stolen passwords? There is an underground market that sells those credentials to hackers which they can then use in credential stuffing attacks.
How does credential stuffing work?
Credential stuffing is a popular attack method due to the minimal effort required for maximum financial gains; so much so that there has been six times as many credentials being stolen and sold in the last year alone. More and more of an opportunity for credential stuffing presents itself as the number of stolen credentials continues to grow with each new breach. It is estimated that 111 million cyberattacks occur each day. For every one million combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts.
Attackers use automated tools to test the stolen credentials on numerous sites. To increase their chances of success while reducing the risk of detection, attackers utilize readily available tools that help them match passwords with specific websites. This can be especially easy if the password already contains the name of the website or application.
Sophisticated bots are a popular tool in this instance, allowing attackers to simultaneously run a number of login attempts, all of which look to originate from unique IP addresses. In addition to this anonymity, bots are able to overcome simple security measures, such as banning IP addresses due to a series of failed login attempts.
Once the login attempt proves fruitful, the attacker gains entry to the compromised account, granting them access needed to empty the account’s funds, steal sensitive information, send deceptive phishing messages or spam calls, or traffic the stolen data on the dark web. This type of attack has risen in popularity in recent years due to the sheer volume of users reusing passwords across multiple accounts. 44 million Microsoft users were found to be reusing passwords in one analysis over a 3-month period.
So, how can organizations defend against a growing threat? Just as reusing passwords across multiple websites increases the vulnerability of user accounts and complicates efforts to prevent unauthorized access, detecting compromised passwords promptly and notifying affected accounts is essential in decreasing credential stuffing threats against organizations and their users.
Find out if your credentials are compromised
At the time of writing, there are over 15 billion stolen credentials on the dark web. PayPal users infamously joined that list earlier this year when the platform suffered a significant credential-stuffing attack that impacted approximately 35,000 accounts. These breaches exposed sensitive information, including Social Security and tax ID numbers, dates of birth, names, and addresses. As is often the case in such attacks, many of these compromised accounts reused passwords from previous data breaches.
To keep their credentials off this ever-growing list, organizations must do more to safeguard their accounts. For businesses using Active Directory, administrators can identify breached passwords, and block the use of over 4 billion unique known compromised passwords from their network with paid tools such as Specops Password Policy. For a free option, Specops Password Auditor can quickly identify and address password-related vulnerabilities within your Active Directory.
Specops Password Auditor cross-references your passwords against a database of 950 million compromised passwords. You can also identify various other password-related vulnerabilities such as blank passwords, identical passwords, stale admin accounts, stale user accounts, and more.
Specops Password Auditor is a great free tool to get a health check on your end-users passwords, but to strengthen your organization’s password security further, use Specops Password Policy. You will be able to implement stringent password policies, including requirements for password length, complexity, and avoidance of common character patterns and consecutive character repetitions in passwords. Specops Password Policy and the Breached Password Protection feature scan your Active Directory against a database of over 4 billion compromised passwords.
With the Continuous Scan enabled, you will receive immediate SMS or email alerts if and when your passwords are compromised, as well as urgent prompts to change them. The service is regularly updated by to provide ongoing protection against real-world password attacks.
Run a free password vulnerability health check today
Find out if your Active Directory users are using compromised credentials and take proactive steps to stop future credential-stuffing attacks in their tracks.
Get a free read-only report on your organization’s password vulnerability health, and sign up for free trials of the Specops Password Policy trial to avoid the high cost of compromised credentials.