Password security has many well-debated weaknesses but one that gets surprisingly little attention is how organisations can know whether and when theirs have been compromised by outsiders. This lack of interest is surprising. Almost all cyberattacks today, including ransomware attacks, exploit stolen or leaked credentials (a password + username), which makes any compromise a critical incident in the making.
The traditional defence is to change them on a schedule basis on the assumption that a compromise is likely at some point, but this has always been a blunt defence that risks encouraging re-use as users try to cope with constant resets. In 2016, NIST put a pin in this balloon by recommending that organisations no longer mandate automatic password changes unless they have a reason to do so.
The mistaken assumption is that once a password is lost (with or without the username), there is no way to detect that this has happened. In fact, a way does exist – query databases of leaked passwords culled from dark net sources so see if a known password or password is present.
Although the idea of monitoring criminal sites for leaked passwords is not new (public databases such as Have I been Pwned? have been around for years), the trick has been finding a way to integrate them into password management systems. Without that integration, password detection would risk becoming a management chore that burdens IT staff with alerts they struggle to react to.
One company that thinks it has cracked the problem is Authlogics, which has integrated its Password Breach database of 4.1 billion leaked credentials into the company’s Password Security Management system. In this podcast, IT Security Guru editor John E. Dunn and CEO Steven Hope discuss the complex design challenges this posed for Authlogics.
Integrating a database of leaked passwords into a password management system turned out to be the easy part. The much bigger nut to crack was making it easy for IT teams to fix the credential problems the software detected, weeding out dormant accounts, encouraging users to create secure passwords or phrases.
Most important of all, time is of the essence. The detection of compromised passwords must allow for real-time detection as soon as compromised credentials appear in the database.
One day, all password management systems will be built this way.
Have a listen HERE!
