Compromised credentials
Weak password policy often leaves organizations vulnerable to security compromise by threat actors. The question now is, does this complexity of passwords guarantee security? Studies have shown that bad actors already have access to billions of stolen credentials that can be used to compromise additional accounts by reusing those same credentials. To tackle this issue, organizations need to look beyond complexity requirements and block the use of compromised credentials.
The market for stolen credentials
Every time an organization is compromised, there is a high probability that its credentials find their way to the dark web. These credentials are being sold to hackers who buy them for the purpose of credential-stuffing attacks.
How does credential stuffing work?
Credential stuffing takes advantage of the fact that people often reuse the same username and passwords across multiple online platforms and it requires minimal effort for multiple financial gains; so much so that there have been six times as many credentials being stolen and sold in the last year alone. More and more opportunities for credential stuffing present themselves as the number of stolen credentials continues to grow with each new breach.
Attackers use automated tools to test the credentials on numerous sites. They deploy sophisticated bots to ease their login attempts while reducing the risk of detection.
Once the login proves fruitful, the attacker gains entry into the compromised account, granting them access needed to empty the account’s funds, steal sensitive information, send deceptive phishing messages or spam calls, or traffic the stolen data to the dark web.
So, how can organizations defend against this threat? Just like reusing passwords across multiple sites increases the vulnerability of user accounts and complicates efforts to prevent unauthorized access, detecting compromised passwords promptly and notifying affected accounts is essential in decreasing credential stuffing threats against organizations and their users.
You can find out if credentials are compromised
Results of studies put the current number of compromised credentials at over 15 billion on the dark web. Paypal users joined the list earlier this in the event that they suffered a credential stuffing attack that impacted 35,000 accounts. These breaches exposed sensitive information including social security numbers, Tax ID numbers, date of birth, names, and addresses. As is often the case in many attacks, many of these compromised accounts reused passwords from previous data breaches.
To keep their credentials off this ever-growing list, organizations must do more to safeguard their accounts. For organizations that use Active Directory, administrators can identify breached passwords, and block the use of over 4 billion unique known compromised passwords from their network.
Using an automated Password Policy will also enable stringent password policies, including requirements for password length, complexity, and avoidance of common character patterns and consecutive character repetitions in passwords. Specops Password Policy and the Breached Password Protection feature scan your Active Directory against a Database of over 4 billion compromised passwords.
With the continuous scan enabled, you will receive immediate SMS or email alerts if and when your passwords are compromised, as well as urgent prompts to change them. The service is regularly updated to provide ongoing protection against real-world password attacks.