Today’s digital world, password safety is more important than ever. Although biometric identification, primary password (OTP) and other emerging authentication forms are often touted as a replacement of traditional passwords, but replacing traditional passwords is still a marketing speculation.
However, the password will not quit the historical stage soon, and it does not mean that companies do not need to modernize their password safety.
? Stolen certificate crisis
As the Microsoft Security team pointed out, “I only need a stolen taxi, you can trigger a data leak.” Coupled with repeatedly banned password reuse, the stolen order can have a major and long-term impact on enterprise security.
In fact, the researchers of the Virginia University of Technology have found that more than 70% of users will use this stolen to use the stolen for one year in other accounts; 40% of users will be discharged three years ago. Password.
Although the stolen taxi is not a new thing for most IT supervisors, they may be surprised to find that many attempts to solve this problem often cause more security vulnerabilities.
This type will weaken a lot of traditional methods of password security, and examples are as follows:
Mandatory password complexity Regular reset password restriction password length and character use require special characters
? Modern password safety method
Considering the vulnerabilities associated with these traditional methods, the National Standards and Technology Research Institute (NIST) revised its password safety recommendations to encourage users to adopt more modern password safety best practices. NIST Update The root of its password security recommendations is that it recognizes that if the user is forced to create a password that conforms to the complexity requirements, or forced to reset the password, human factors often lead to security vulnerabilities.
For example, if the required password contains special characters and numbers, users may choose the most basic form of “p @ SSWORD1”, which is very common, which is easy to use hacker. Another traditional approach that may have a negative impact on password security is to prohibit strategies for using spaces or various special characters in passwords. After all, if you want users to create a unique strength to make a unique strength, how many restrictions on their forms?
In addition, NIST is now recommended to cancel the regular password reset, and it is recommended that the company only requires change the password only if there is evidence that the password is discharged.
? Voucher screening solution
So, how does the company monitor the signs of the iSt? Another recommendation of NIST: Enterprise control includes a blacklist that is commonly stolen and continuously screening passwords.
It may sound enough, but in today’s severe threat situation, choose the right stolen voucher screening solution is important.
? Dynamic solutions must be essential
There are a lot of static blacklists on the Internet available, and some companies have even prepared their own static blacklists. But now this time has a data leak event, the freshly stolen trailer will continue to flock to the dark network, which can continue to be used to initiate attacks. A blacklist that is now blacklisted or only a regular update per year is not paid to this high-risk environment.
Enzoic’s dynamic solution control contains billions of Stolen Database filtering credentials. The stolen monitors in the database either from the data disclosure event or from the broken dictionary. Since the database is automatically updated multiple times a day, whether the company keeps with the latest data leak intelligence, the company can rest assured that there is no need to put extra IT work.
An important part of the modern password security method also includes filtering credentials when password creation, and continuously monitoring its integrity after being created. If the previously secure password is later leaked, the company can automatically perform the appropriate operation, for example, forced the reset password when logging in, or is completely disabled before the IT expansion investigation.
? Before the road
Although NIST guidelines usually provide best practices for the entire security industry, but ultimately rely on security supervisors to decide what is best for companies unique needs, and adjust the company strategy accordingly.
Depending on the industry, the company’s scale and other privacy, maybe some suggestions are not suitable for your company.
However, there is no signs of network attacks on two-wire every day, and often due to the password vulnerability, it is difficult to imagine which company will benefit from the additional security layer provided by the voucher screening.