Why biometrics will not fix all your authentication woes

As the number of data breaches shows no signs of decreasing, the clamor to replace passwords with biometric authentication continues to grow. Biometrics are becoming widely incorporated to secure organizations from unauthorized access and the growing appeal of these security solutions is expected to create a market worth $41.8 billion by 2023, according to MarketsandMarkets.

biometric authentication

Password reuse is the fundamental reason why data breaches continue to happen. In recent years biometrics have increasingly been lauded as a superior authentication solution to passwords. However, biometrics are not immune from problems and once you look under the hood, they bring their own set of challenges.

There are several flaws, including one with potentially fatal implications, that organizations can’t and shouldn’t ignore when exploring biometric authentication. These include:

1. Biometrics are forever

This is the Achilles heel: once a biometric is exposed/compromised, you can’t replace it. There is no way to refresh or update your fingerprint, your retina, or your face. Therefore, if a user’s biometric information is exposed, then any account using this authentication method is at risk, and there is no way to reverse the damage.

Biometrics are on display, leaving them open to potential exploitation. For example, facial information can be obtained online or through a photo of someone, unlike passwords, which remain private unless stolen. With a detailed enough representation of a biometric marker, it’s possible to spoof it and, with the rise of deep-fake technology, it will become even easier to spoof biometrics.

As biometrics are forever, it’s vital that organizations make it as difficult as possible for hackers to crack the algorithm if there is a breach. They can do it by using a strong hashing algorithm and not storing any data in plain text.

2. Device/service limitations

Despite the ubiquity of devices with biometric scanners and the number of apps that support biometric authentication, many devices can’t incorporate the technology. While biometrics are commonplace in smart devices, this is not the case with many desktop or laptop computers, which still don’t include biometric readers. Also, when it comes to signing into websites via a browser, the use of biometric authentication is currently extremely limited. Therefore, until every device and browser is compatible, relying solely on biometric authentication is not even a possibility.

The most widespread consumer-oriented biometric authentication approaches (Apple’s TouchID/FaceID and the Android equivalents) are essentially client-side only – acting as a key that unlocks a locally stored set of authentication credentials for the target application or service.

While this approach works well for this use case and has the advantage of not storing sensitive biometric signatures on servers, it precludes the possibility of having this be the only authentication mechanism (i.e., if I try to access the service from a different device, I’ll have to re-authenticate using credentials such as a username and password before I can re-enable biometric authentication, assuming the new device even supports it). To truly have a biometric-first (or biometric-only) authentication approach, you need a different model – one where the biometric signature is stored server-side.

3. Spoofing threats

Another concern with biometric authentication systems is that the scanner devices have shown they are susceptible to spoofing. Hackers have succeeded in making scanners recognize fingerprints by using casts, molds, or otherwise replicas of valid user fingerprints or faces. Although liveness detection has come a long way, it is still far from perfect. Until spoof detection becomes more sophisticated, this risk will remain.

4. Biometric changes

The possibility of changes to users’ biometrics (injury to or loss of a fingerprint for instance, or a disfiguring injury to the face) is another potential issue, especially in the case where biometric authentication is the only authentication method in use and there is no fallback available.

If a breach happens due to biometric authentication, once a cybercriminal gains access, they can then change the logins for these accounts and lock the legitimate user out of their account. This puts the onus on organizations to alert users to take immediate action to mitigate the risk. If there is a breach, both enterprises and users should immediately turn off biometrics on their devices and revert back to the default, usually passwords or passcodes.

Adopting a layered approach to authentication

Rather than searching for a magic bullet for authentication, organizations need to embrace a layered approach to security. In the physical world, you would never rely solely on one solution and in the digital world, you should adopt the same philosophy. In addition to this layered approach, organizations should focus on hardening every element to shore up their digital defenses.

The simplicity and convenience of biometrics will ensure that it continues to be an appealing option for both enterprises and users. However, relying solely on biometric authentication is a high-risk strategy due to the limitations outlined above. Instead, organizations should deploy biometrics selectively as part of the overall identity management strategy, but they must include other security elements to mitigate the potential risks. It’s clear that, despite the buzz, 2021 will not be the year that biometrics replace passwords.

Love them or loathe them, passwords will remain a fixture in our digital lives.

Why CIOs need to focus on password exposure, not expiration

The cybersecurity market is growing even in the midst of the pandemic-driven economic downturn, with spending predicted to reach $123 billion by the end of the year. While disruptive technologies are undoubtedly behind much of this market growth, companies cannot afford to overlook security basics.

focus on password exposure

Biometrics may be a media darling, but the truth is that passwords will remain the primary authentication mechanism for the foreseeable future. But while passwords may not be a cutting-edge security innovation, that’s not to suggest that CIOs don’t need to modernize their approach to password management.

Mandatory password resets

Employees’ poor password management practices are well-documented, with Google finding that 65% of people use the same password for multiple, if not all, online accounts. To circumvent the security risks associated with this behavior, companies have historically focused on periodic password resets. Seventy-seven percent of IT departments surveyed by Forrester in 2016 were expiring passwords for all staff on a quarterly basis.

This approach made sense in the early days of the digital age, when employees typically only had a handful of passwords to remember. I’d argue that times had already changed by 2016, but we are certainly in an entirely different landscape today. As digital transformation accelerates and employees are faced with managing multiple passwords for all of their accounts, it’s simply no longer realistic or wise to force frequent password resets.

It’s time to retire password expiration

Both NIST and Microsoft have recently come out against forced periodic password resets for a variety of reasons, including:

  • Password expiration eats up significant resources and budget. According to Forrester, a single password reset costs $70 of help desk labor. When you multiply this by the average number of employees in a typical organization, it’s easy to see how password expiration can become an unwieldy expense and add significant pressure on overburdened IT teams.
  • It encourages poor cybersecurity practices. When users are frequently asked to change passwords they typically create weaker ones—for example, slight variants of the original password or the same root word or phrase with different special characters for each account.
  • The practice impedes efficiency and introduces friction. Forced resets have a negative impact on productivity as employees often struggle to remember their passwords. One recent study found that 78% of people had to reset a password they forgot in the past 90 days, eating up valuable time that could have better been deployed elsewhere. In addition, the frustration associated with frequent changes can cause employees to seek a workaround or engage in poor security practices like sharing passwords among colleagues or reusing personal passwords for corporate accounts.

Exposure, not expiration

The fundamental purpose of passwords is to ensure that no one but the authorized user has access to the account or system in question. As such, it follows that password security has evolved from a focus on expiration to a focus on exposure. If credentials are secure, there is no reason for companies to incur the cost and other issues associated with forcing a reset. It’s critical that CIOs adopt this mindset and evaluate how they can continuously screen passwords to ensure their integrity.

Putting NIST’s recommendations into practice

According to NIST, companies should compare passwords “ …against a list that contains values known to be commonly-used, expected or compromised… The list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses
  • Dictionary words
  • Repetitive or sequential characters
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.”

Given that multiple data breaches occur in virtually every sector on a daily basis, companies need a dynamic, automated solution that can cross-reference proposed passwords against known breach data. In this environment, it’s highly likely that a password could be secure at its creation but become compromised down the road. As such, CIOs also need to monitor password security on a daily basis and take steps to protect sensitive information if a compromise is detected.

Depending on the nature of the account and the employee’s privilege this could take a variety of forms, including:

  • Stepping up MFA or additional authentication mechanisms
  • Forcing a password reset
  • Temporarily suspending access to the account

Because these actions occur only if a compromise has been detected, this modern approach to credential screening eliminates the unnecessary cost and friction associated with password expiration.

Protecting the password layer in the new normal

Replacing password expiration with password exposure will be particularly critical as CIOs manage an increasingly hybrid workforce. With Gartner finding that 74% of organizations plan to shift some employees to permanent remote work positions, it’s likely that users will be creating new digital accounts and accessing different services online.

A modern password management approach that continuously screens for any credential compromise is the best way that organizations can secure this complex environment while simultaneously encouraging productivity and reducing help desk costs.

Securing Active Directory accounts against password-based attacks

Traditional password-based security might be headed for extinction, but that moment is still far off.

In the meantime, most of us need something to prevent our worst instincts when it comes to choosing passwords: using personal information, predictable (e.g., sequential) keystroke patterns, password variations, well-known substitutions, single words from a dictionary and – above all – reusing the same password for many different private and enterprise accounts.

What does a modern password policy look like?

While using unique passwords for every account is a piece of advice that has withstood the test of time (though not the test of widespread compliance), people also used to be told that they should use a mix of letters, numbers and symbols and to change it every 90 days – recommendations that the evolving threat landscape has made obsolete and even somewhat harmful.

In the past decade, academic research on the topic of password practices and insights gleaned from passwords compromised in breaches have revealed what people were actually doing when they were creating passwords. This helped unseat some of the prevailing password policies that were in place for so long, Josh Horwitz, Chief Operations Officer of Enzoic, told Help Net Security.

The latest NIST-sanctioned advice regarding enterprise password policies (as delineated in NIST Special Publication 800-63B) includes, among other things, the removal of the requirement for character composition rules and for mandatory periodic password changes. Those are recommendations that are also being promulgated by Microsoft.

As data breaches now happen every single day and attackers are trying out the revealed passwords on different accounts in the hope that the user has reused them, NIST also advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.

The need for modern tools

But the thing is, most older password policy tools don’t provide a method to check if a password is strong and not compromised once the password is chosen/set.

There’s really only one that both checks the passwords at creation and continuously monitors their resilience to credential stuffing attacks, by checking them against a massive (7+ billion) database of compromised credentials that is updated every single day.

OPIS

“Some organizations will gather this information from the dark web and other places where you can get lists of compromised passwords, but most tools aren’t designed to incorporate it and it’s still a very manual process to try to keep that information up to date. It’s effectively really hard to maintain the breadth and frequency of data updates that are required for this approach to work as it should,” Horwitz noted.

But for Enzoic, this is practically one of its core missions.

“We have people whose full-time job is to go out and gather threat intelligence, databases of compromised passwords, and cracking dictionaries. We’ve also invested substantially in proprietary technology to automate that process of collection, cleansing and indexing of that information,” he explained.

“Our database is updated multiple times each day, and we’re really getting the breadth of data out there, by integrating both large and small compromised databases in our list – because hackers will use any database they can get their hands on, not just those stolen in well-publicized data breaches.”

Enzoic for Active Directory

This constantly updated list/database is what powers Enzoic for Active Directory, a tool (plug-in) that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials.

The solution checks the password both when it’s created and when it’s reset and checks it daily against this real-time compromised password database. Furthermore, it does so automatically, without the IT team having to do anything except set it up once.

OPIS

Enzoic for AD is able to detect and prevent the use of:

  • Fuzzy variations of compromised passwords
  • Unsafe passwords consisting of an often-used root word and a few trailing symbols and numbers
  • New passwords that are too similar to the one the user previously used
  • Passwords that employees at specific organizations are expected to choose (this is accomplished by using a custom dictionary that can be tailored to each organization)

The tool uses a standard password filter object to create a new password policy that works anywhere that defers to Active Directory, including Azure AD and third-party password reset tools.

Can multi-factor authentication save us?

Many will wonder whether such a tool is really crucial for keeping AD accounts safe. “What if we also use multi-factor authentication? Doesn’t that solve our authentication problems and keeps us safe from attacks?”

In reality, password remain part in every environment, and not every authentication event includes multi-factor authentication (MFA).

“You can offer MFA, but until you actually require its use and get rid of the password, there’s always going to be doors in that the attackers can use,” Horwitz pointed out.

“NIST also makes it very clear that authentication security should include multiple layers, and that each of these layers – including the password layer – need to be hardened.”

Do you really need Enzoic for Active Directory?

Enzoic has made it easy for enterprises to check whether some of the AD passwords used by their employees are weak or have been compromised: they can deploy a free password auditing tool (Enzoic for Active Directory Lite) to take a quick snapshot of their domain’s password security state.

OPIS

“Some password auditing tools take long time to try to brute-force passwords, but attackers are much more likely to start their efforts with compromised passwords,” Horwitz added.

“Our tool takes just minutes to perform the audit, it’s simple to run, and allows IT and IT security leaders and professionals to realize the extent of the problem and to easily communicate the issue to the business side.”

Enzoic for Active Directory is likewise simple to install and use, and is built for easy implementation and automatic maintenance of the modern password policy.

“It’s a low complexity tool, but this is where it really shines: it allows you to screen passwords against a massive database of compromised passwords that gets updated every day – and allows you to do this at lightning speed, so that it can be done at the time that the password is being created without any friction or interruption to the user – and it rechecks that password each day, to detect when a password is no longer secure and trigger/mandate a password change.“

Aside from checking the passwords against this constantly updated list, it also prevents users from using:

  • Common dictionary words or words that are often used for passwords (e.g., names of sports teams)
  • Expected passwords and those that are too similar to users’ old password
  • Context-specific passwords and variations (e.g., words that are specific to the business the enterprise is in, or words that employees living in a specific town or region might use)
  • User-specific passwords and variations (e.g., their first name, last name, username, email address – based on those field values in Active Directory)

Conclusion

Time and time again, it has been proven that if left to their own devices, users will employ predictable patterns when choosing a password and will reuse one password over multiple accounts.

When the compromised account doesn’t hold sensitive information or allows access to sensitive assets, these practices might not lead to catastrophic results for the user. But the stakes are much higher when it comes to enterprise accounts, and especially Active Directory accounts, as AD is most companies’ primary solution for access to network resources.

New version of Enzoic for Active Directory helps orgs reduce insider risks from poor password hygiene

Enzoic, a leading provider of compromised password security solutions, released the latest version of Enzoic for Active Directory. The automated tool screens and identifies employees that are using compromised or weak passwords, helping organizations reduce insider risks from poor password hygiene. It is the only Active Directory plugin with 1-click NIST password guideline compliance.

new Enzoic for Active Directory

Insider threats continue to increase with Verizon’s 2019 Data Breach Investigations Report identifying that 34 percent of all breaches in 2018 were caused by insiders, up from 28 percent in 2017.

Organizations need a way to identify and mitigate the growing risk from employees and their use of risky passwords. With Microsoft Active Directory being the primary solution for access to network resources, Enzoic provides IT teams with an automated solution that identifies users with compromised passwords, helping mitigate the risks from within.

Enzoic for Active Directory provides either 1-click NIST password guideline compliance or fully customized settings. The setup wizard can guide the administrator through configuring the different application options. These include fully automated common password screening, fuzzy password matching, password similarity blocking, and custom password dictionary filtering.

Enzoic can now also look for a “root” password, meaning it can detect if a password is just changed with appended and prepended characters. In addition, Enzoic provides organizations with visibility into which users are deploying compromised credentials.

“Insider threats are a rapidly growing threat vector and organizations need an automated solution to pinpoint employees that are using exposed passwords,” said Mike C. Wilson, Founder, and CTO, Enzoic.

“Preventing the use of compromised passwords and enforcing a secure password policy are vital weapons in the battle against insider threats. Enzoic for Active Directory provides organizations with the ability to easily secure and enforce password policy.”

“Our recent primary research indicates more than 60% of businesses experienced a security breach in the last year, and the most frequent breaches involved compromised passwords,” noted Steve Brasen, Research Director with IT industry analyst firm, Enterprise Management Associates.

“Enzoic for Active Directory ensures passwords continuously meet even the most stringent security and compliance requirements while simplifying management processes.”

The latest version of Enzoic for Active Directory incorporates a dashboard widget that highlights if the settings follow requirements from NIST 800-63b, which includes settings that enable password checks during password resets, reject common passwords, include fuzzy password matching, turn on continuous password protection, and create a custom password dictionary.

The solution is simple to install and once the setup is complete it continually runs in the background without requiring additional IT support.

Additional feature enhancements in Enzoic for Active Directory include:

  • Root password detection will check user passwords for so-called “root” passwords that are common or compromised. It does this by removing trailing numbers and symbols that users often will use to prefix or suffix a password.
  • Monitored users reports allow organizations to have visibility into which employees are using exposed passwords. It includes a report displaying the status of all protected user accounts and clearly indicates compromised accounts.

Changing the mindset of the CISO: From enforcer to enabler

With digital transformation investments expected to reach a staggering $7.4 trillion before 2023, organizations realize that they must disrupt their markets or risk being disrupted themselves. However, with digital transformation comes a multitude of cybersecurity-related challenges to overcome, and it’s up to the CISO to help businesses navigate the associated risks.

CISO must aid the business

Security leaders can no longer adopt the role of enforcer, but rather need to pivot to a new role: the enabler. CISOs today have the opportunity to help enable the organization to grow by delivering a digital experience that delights customers while mitigating digital risk. This requires the CISO to advise the business about when and where cyber risks could manifest. Security leaders must now be able to transform their security practices in lockstep with all the other changes wrought by business-wide digital transformation.

Today’s CISO needs to be able to provide advice to the business to help it understand the risk landscape so that it can then make informed decisions about which risks are tolerable and which ones to avoid at all costs. In addition to providing this counsel, security leaders must be able to implement the technology to mitigate risks and protect the business as it continues on the path to digitally transform.

As part of this change in mindset, security leadership needs to take into account the impact of friction on the user experience as it can “break or make” security initiatives. The CISO must now focus on reducing unnecessary friction where appropriate in support of digital transformation objectives.

How to reduce security friction

As a rule, security friction increases or decreases proportionally to the severity of security restrictions put in place. The successful CISO must collaborate with the business and find a way to balance the appropriate controls for any given scenario in order to maximize protection and minimize security friction.

To achieve this balance, the CISO needs to home in on these seven variables:

1. How much is at risk if no controls are in place?
2. How could controls interrupt revenue streams?
3. Could the aggravation of the control cost the company many customers?
4. Must the business stop using or restrict innovative business processes or technology for the controls to work?
5. Will the level of friction from controls cause a revolt among users that could hamper implementation or induce unsafe workarounds?
6. How much will controls slow down technology delivery or innovation?
7. Are there any other alternative controls that could offer significantly less friction without compromising all of the risk reduction benefits?

By reviewing this checklist, CISOs will be able to advise the business of the different options available and, most critically, the path forward to mitigate risk and minimize friction. Security leaders need to outline the options available that will help reduce risk in the context of the business operating environment.

The successful CISO in the digital era needs to help the business understand all the different variables. To achieve this requires a mindset shift from that of an enforcer to that of a collaborative and flexible partner. Security teams need to recognize that they now provide a valuable service to the business in the quest to mitigate digital risk and minimize security friction.

Here are three examples of ways to achieve this balance in a digital-first world.

Payment processing

Online and mobile transactions are increasingly becoming the lifeblood of commerce for every type of organization, and digital transformation spurs this on further. While fraud protection is essential, transaction speed is tantamount.

Effective security teams are managing that through behavioral indicators that increase security measures based on risky behavior. That paired with compromised credential screening during authentication can generally keep friction low for the average transaction, while at the same time mitigating the risk of account takeover and the corresponding associated financial costs and impact on reputation.

Software supply chain

Software development teams increasingly depend upon third-party code and open source libraries to quickly develop software. This underpins the DevOps and Agile practices that fuel the rapid software delivery necessary for digital transformation. But third-party code also accelerates the introduction of new vulnerabilities into enterprise software.

Rather than banning the use of the transformative practice of leaning on third-party code, successful security teams are finding ways to track and manage the use of these tools while making it easier for developers to source them. Security leaders reduce friction here by tailoring the controls to the development process rather than making developers jump through multiple time-consuming security hoops.

Data sharing

Data sharing through cloud services and API connections between applications is crucial to digital transformation efforts. So many innovations today rest on complex digital ecosystems and integrations. The most impactful frictionless security efforts are those that smooth ease of access and integration. At the business user level, that means allowing the use of common platforms such as Box, while increasingly tying data access policies and visibility into data use to identities and roles. At the application level, it means designing security mechanisms and APIs that work seamlessly in an ecosystem and help facilitate data controls. The security tools must work without breaking integrations or degrading service levels.

Digital transformation is changing every aspect of how we operate, including the role of the CISO. The successful CISO in the 2020s and beyond needs to take a risk-based approach that consistently views security reasoning through the lens of user experience, business profitability, and viability.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today.

Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific company resources.

For example: An attacker wants to target CompanyX and sees that 30 users that work in CompanyX also had their account credentials leaked following a recent breach (let’s say Zynga). Trying to enter those credentials into the company’s SharePoint, Exchange, VPN, and various web portals to see if they might gain access is a no-brainer for them.

This common occurrence has resulted in the launch of several commercial and free solutions that try to mitigate this specific risk. One of them is Enzoic for Active Directory.

About Enzoic for Active Directory and this review

“Enzoic for AD is a tool that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials,” the product’s page says.

“Unlike products that only check passwords after they are saved, thus requiring subsequent reset by the user, Enzoic validates the password at the time it is being selected. Passwords are then continuously monitored to detect if they become compromised – with automated remediation and alerts. It helps organizations with NIST Password Guideline compliance in Active Directory.”

We tested the Enzoic for AD solution and this review will focus on the following main points:

1. Setup experience – The solution’s install process and setup process.
2. A cursory overview of the privacy implications of the solution – Since the solution has to query Enzoic’s cloud to verify if a password is contained in a breached set, we decided to check what is actually sent to the cloud.
3. Usefulness and coverage – The effectiveness of the solution when tested against multiple breached credentials lists.
4. Final thoughts and impressions.

Setup experience

The installer for Enzoic for AD is available in both EXE and MSI file format. The software is a plugin for Microsoft Active Directory, which needs to be installed on all AD servers in your organization to achieve coverage.

The installation process begins with a standard Windows install:

Enzoic for Active Directory

Enzoic for Active Directory needs to be configured. Which Users, Groups, Containers should be covered by its functionality to check for compromised password? Will the entire AD be covered? (For this test, we left the default “All Users in Active Directory” option.)

Enzoic for Active Directory

After confirming coverage, monitoring options can be configured. The options are:

1. Reject common passwords found in cracking dictionaries (or not).
2. Check passwords during password resets (or not).
3. Use fuzzy password matching (or not).

Enzoic for Active Directory

In the next step we needed to select the remediation action. The solution allows for the following options:

1. User must change password on next login.
2. User must change password on next login (delayed).
3. Disable account.
4. Disable account (Delayed).
5. Notify only (via email to the user and to a number of other accounts). E-mail is sent by Enzoic (through Amazon SES) and you cannot configure a specific email server to use.

Enzoic for Active Directory

Installation and configuration are simple and easy even for a beginner. After-setup configuration capabilities are also very easy to understand and to tweak.

They include the same options offered at setup-time, plus two additional ones. One allowed adding a custom password dictionary, which can include a word or parts of words that should not appear in a password (e.g., the name of your business). Another setting allowed password blocking based on similarity, according to a configurable distance value that defines how closely a new password can match a previous password.

Enzoic for Active Directory

Enzoic for Active Directory

After a quick mandatory server restart, we proceeded to test the usability of the application.

A cursory overview of the privacy implications of the solution

“Trust but verify,” says an old proverb, so we decided to inject a CA certificate into our AD server, to be able to sniff the communications between our AD server and Enzoic’s servers to see what actually gets shared with Enzoic. We entered a very common password (administrator) and tried to verify it:

Enzoic for Active Directory

As you can see, that password was rejected, but let’s see what was shared on the wire:

Enzoic for Active Directory

In the request you can see that the application takes the input string “administrator” and hashes that value with MD5, SHA1 and SHA256 hashes and sends the first 40 bits of each hash to Enzoic’s cloud, which responds with the possible candidates to check. This is similar to the k-anonymity algorithm used by HaveIBeenPwned’s API service, which shares only the starting 20 bits of SHA1 hash output.

Enzoic for Active Directory

We did not actually try to reverse engineer the application, since this was a cursory review just to make sure that the actual passwords are not being sent to Enzoic’s cloud.

We also left our domain controller (DC) connected to the internet for 48 hours to see what kind of data (if any) is being sent to Enzoic. We found that the app shares some telemetry with the Enzoic cloud, namely the number of matches of breached passwords in the organization and number of users, probably for licensing purposes:

Enzoic for Active Directory

Enzoic for Active Directory

Usefulness and coverage

Next, we wanted to see how Enzoic for AD handles leaked passwords, so we covered a few scenarios that might be interesting to our readers:

  • Verifying if the application correctly detects passwords from common wordlists used by attackers.
  • Verifying if the application correctly detects passwords from common large-scale breaches (LinkedIn, RockYou).
  • Verifying if the application correctly detects passwords from very recent leaks (Zynga).

We decided to take a random sample from SecLists, the LinkedIn and RockYou leaks, and even fully random passwords that were a part of a breached set (e.g., *23P%GWtUPST2jQ&auUB7j542) were correctly identified. We also ran a random sample of passwords from other leaks (e.g., the Hak5 leak) and they were also correctly detected.

One thing that interested us was whether Enzoic for AD could detect passwords from recent leaks. (Un)fortunately, a week before this test the full user database from game company Zynga was leaked on the internet, so we decided to test Enzoic for AD with the newly available leaked passwords.

We sampled passwords randomly but also tried to find unique passwords that were contained in the Zynga breach but not in the sets we used previously. We found a couple of such passwords, and they were successfully detected as breached passwords by Enzoic for AD. Good job!

Looking to the future

We couldn’t test the breached password notification option, since that would require us to actually have users who are a part of an actual breach that is about to occur, which cannot be easily simulated.

Looking forward to the future, there are a few things that could be changed, but are in no way a deal-breaker from our perspective.

The first one is the sharing of three types of hashes and 40 bits of data per hash. We could argue this is excessive since the reference implementation for k-anonymity only shares 20 bits of a single hash.

Enzoic tells us that they chose that length of partial hash as a good balance between anonymity and performance. Keeping the number of candidate hashes returned to a more reasonable number and thus reducing latency for the call is an important concern, since many of their customers are very sensitive to latency.

They view the additional data sent as of minimal risk (keep in mind no usernames are shared and none of these requests are logged on their end). That said, they do have it on their roadmap to make the partial hash match length configurable in the future – with the trade-off that some users might have longer latencies when attempting a password change if this length is significantly reduced.

Secondly, when the user gets notified that a breached password was found, the notification could also contain the information in which breached set that password was found. This would be interesting to both users and security personnel in an organization. We are aware that this information cannot be shared with the user through the standard Windows interface, but it can be sent via email or stored in event logs.

Final verdict

Enzoic for Active Directory is a first-rate solution for ensuring that your users don’t select passwords that were part of a breach. Its coverage of leaked lists is very good, since any list we could legally obtain was correctly flagged by it. Installation is simple and configuration and maintenance are no hassle.

One excellent aspect of this tool is that even someone who is marginally acquainted with Active Directory and has zero experience with Enzoic’s solution can install and make the solution work out of the box. Definitely a 10/10 for user experience.

The password reuse problem is a ticking time bomb

Despite Bill Gates predicting the demise of passwords back in 2004, they are still very much in use. Passwords, like email, seem future proof; but they are also the source of many cybersecurity problems. Key drivers of these issues are human behavior and the desire for convenience, which results in password reuse across multiple accounts. The 2018 Global Password Security Report shows a staggering 50 percent of users use the same passwords for their personal … More

The post The password reuse problem is a ticking time bomb appeared first on Help Net Security.