Password security has many well-debated weaknesses but one that gets surprisingly little attention is how organisations can know whether and when theirs have been compromised by outsiders. This lack of interest is surprising. Almost all cyberattacks today, including ransomware attacks, exploit stolen or leaked credentials (a password + username), which makes any compromise a critical incident in the making. 
The traditional defence is to change them on a schedule basis on the assumption that a compromise is likely at some point, but this has always been a blunt defence that risks encouraging re-use as users try to cope with constant resets. In 2016, NIST put a pin in this balloon by recommending that organisations no longer mandate automatic password changes unless they have a reason to do so. 
The mistaken assumption is that once a password is lost (with or without the username), there is no way to detect that this has happened. In fact, a way does exist – query databases of leaked passwords culled from dark net sources so see if a known password or password is present.  
Although the idea of monitoring criminal sites for leaked passwords is not new (public databases such as Have I been Pwned? have been around for years), the trick has been finding a way to integrate them into password management systems. Without that integration, password detection would risk becoming a management chore that burdens IT staff with alerts they struggle to react to. 
One company that thinks it has cracked the problem is Authlogics, which has integrated its Password Breach database of 4.1 billion leaked credentials into the company’s Password Security Management system. In this podcast, IT Security Guru editor John E. Dunn and CEO Steven Hope discuss the complex design challenges this posed for Authlogics.  
Integrating a database of leaked passwords into a password management system turned out to be the easy part. The much bigger nut to crack was making it easy for IT teams to fix the credential problems the software detected, weeding out dormant accounts, encouraging users to create secure passwords or phrases.  
Most important of all, time is of the essence. The detection of compromised passwords must allow for real-time detection as soon as compromised credentials appear in the database.   
One day, all password management systems will be built this way.  
The podcast will go live this Friday, January 28th for Data Protection Day.
The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy settings
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance

source

You May Also Like

More Conti group source code leaked

A Ukrainian security researcher has released further source code from the Conti…