Security Experts:

Tips for a Smarter Approach to Password Policy

In many cases, passwords are the primary line of defense protecting user accounts from being hijacked in an account takeover (ATO) attack. With the right policies and parameters in place to ensure strong, unique passwords, this defense can be quite effective. That being said, as we all know, passwords are highly susceptible to human fallibility.

According to a 2019 survey by Google, a staggering 65% of participants report using the same password across multiple accounts. And all too often, there is an overlap between personal and work-related account passwords. With the rise of credential stuffing, adversaries can take a set of username/password combinations obtained by attacking one target and use them to compromise employee or customer accounts with other organizations. Easier yet, threat actors can even carry out credential stuffing using the low-hanging fruit of publicly disclosed dumps available on the open web.

Such activity can pose a business risk on several fronts—from the financial and reputational costs of fraud against customer accounts to the potentially massive impact of adversaries gaining privileged network access though ATO against an employee account.

As the technology and tools to leverage stolen credentials advance, a more thoughtful approach to your organization’s password policy is a highly effective way to reduce risk by better protecting your customers, network assets, and employees. While there’s no one-size-fits-all approach to optimizing password policy, the following measures and best practices are worth considering:

● Monitor for Compromised Credentials - Dumps containing compromised passwords, usernames, and other credentials are easy pickings for threat actors, and employee or customer accounts using these credentials are ripe for the taking. By monitoring public dumps and leaks privately shared and sold only within illicit online communities, defenders can assess the exposure of accounts they’re tasked with safeguarding and take proactive action against ATO. 

While establishing the data collections and technology required to automatically monitor, process, and act upon compromised credentials data is extremely talent and resource intensive, organizations can gain these capabilities through a trusted partner. In doing so, defenders can augment traditional password policy best practices with the ability to take action based on indicators observed within the cybercrime underground.

● Use a Password Manager - While in many circles it’s become conventional wisdom, it bears repeating: password managers are an easy, efficient way for users to maintain unique passwords for each account. That being said, a word of caution is in order: not all password managers are created equal, and using a password manager that is unsecure or unreliable can lead to all of a user’s passwords being lost or compromised at once.

● Know When to Reset Passwords - While long accepted as a best practice, cybersecurity leaders are increasingly coming around to the realization that automatically forcing password resets at a specified time interval—such as every 90 days—does not reduce the likelihood of accounts being compromised. On the contrary, forcing users to frequently come up with new passwords can encourage them to reuse a password they’re already using for another account or simply make a slight modification to an existing password. The most effective policy is to only reset passwords known to have been exposed in breaches, which can be accomplished by monitoring for compromised credentials and simultaneously make users comfortable with using complex passwords or phrases. 

● Enforce Complexity and Uniqueness Standards - Case-sensitive combinations of letters mixed with special characters are exponentially more difficult for automated brute-forcing tools to mathematically guess than simple combinations of words and numbers—and the longer the password the better. And while it’s unlikely that users will be able to memorize lengthier, more random credentials, adopting the aforementioned best practice of using a password manager makes it easy to implement and enforce strict standards for complexity and uniqueness.

While these best practices are not a comprehensive roadmap to strong password hygiene, they’re a great starting point for organizations that have taken a laissez-faire or reactive stance when it comes to ensuring the security of user credentials. In particular, as the technology and tools to leverage stolen credentials advance, defenders should seek out innovative new ways to proactively flag exposed passwords leveraging insights gleaned from illicit communities and open-web dumps.

RelatedCredential Stuffing - a Successful and Growing Attack Methodology

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.