Many businesses are currently looking at how to bolster security across their organization as the pandemic and remote work situation continues to progress towards the end of the year. As organizations continue to implement security measures to protect business-critical data, there is an extremely important area of security that often gets overlooked – passwords.
Weak passwords have long been a security nightmare for your business. This includes reused and pwned passwords. What are these? What tools are available to help protect against their use in your environment?
Different types of dangerous passwords
There are many different types of dangerous passwords that can expose your organization to tremendous risk. One way that cybercriminals compromise environments is by making use of breached password data. This allows launching password spraying attacks on your environment.
Password spraying involves trying only a few passwords against a large number of end-users. In a password spraying attack, cybercriminals will often use databases of breached passwords, a.k.a pwned passwords, to effectively try these passwords against user accounts in your environment.
The philosophy here is that across many different organizations, users tend to think in very similar ways when it comes to creating passwords they can remember. Often passwords exposed in other breaches will be passwords that other users are using in totally different environments. This, of course, increases risk since any compromise of the password will expose not a single account but multiple accounts if used across different systems.
Pwned passwords are dangerous and can expose your organization to the risks of compromise, ransomware, and data breach threats. What types of tools are available to help discover and mitigate these types of password risks in your environment?
Tools Available to help with password security
There are a few tools available that can help with password security in your environment by way of API calls as well as utilizing cloud tools, both on-premises or in cloud environments. Let’s look at a couple of these.
- “Have I Been Pwned” (HIBP) API
- Azure AD Password Protection – can be used on-premises as well
“Have I Been Pwned” (HIBP) API
The Have I Been Pwned website, operated by security expert Troy Hunt, is a valuable resource for the security community. Troy Hunt has provided a number of resources on the site that allow organizations to make use of and gain awareness of various security threats that exist on the scene today.
The HIBP site was developed in response to data breach events that often happen when user credentials are exposed over and over again with the same passwords. Using HIBP, organizations can discern if passwords in their environment have previously been exposed to data breach events.
Troy Hunt has provided an HIBP API that is freely available and allows making real-time API calls from various software applications to the HIBP API to check passwords used across multiple software forms and many other purposes. Some of the API calls and information that can be returned include the following:
- Getting all breaches for an account
- Getting all breached sites in the system
- Getting a single breached site
- Getting all data classes
Hats off to Troy for providing an excellent resource for the community that can be consumed and used freely to help bolster the security of passwords in their environments.
To properly consume the HIBP API, it does require that organizations have some development skills in-house to make use of the resource. This may be a blocker for many organizations that would like to make use of the resource.
Azure AD Password Protection
Microsoft has provided a tool called Azure AD Password Protection that detects and blocks known weak passwords and their variants. It can also block terms that are specific to your environment, such as blocking passwords that may contain the company name as an example.
The tool can also be deployed on-premises as well and uses the same lists of passwords, including global and custom banned passwords, that are configured in Azure to protect on-premises accounts. Using Azure AD Password Protection employs a mechanism that checks passwords during the password change event for a user to prevent users from configuring weak or otherwise blocked passwords.