Studies abound that show users frequently re-use passwords across systems, clouds and accounts in both their personal and business life. That means if an attacker learns a user’s password on one system they can often gain access to other completely separate systems with that same password. But this risk goes way beyond targeted attacks on individual users.
We repeatedly hear of websites and other systems being hacked where the attackers get away with millions of passwords. Attackers then post these lists on the dark web or sell them on the black market making them available to a much wider population of cyber criminals.
How valuable is such a list of that size to an attacker? Seems like a lot of passwords to try, right? But out of the entire set of possible passwords it reduces their work exponentially. And they have devised methods for efficiently using password lists like credential stuffing and password spaying against corporate networks and web sites.
In this webinar we will explore the problem of password-reuse and delve into how attackers use password lists with a view to detecting such attacks. But we will go further and discuss how to proactively identify vulnerable accounts by making use of stolen password lists and related resources. We’ll look at open source password auditing tools and sources of compromised password lists that you can use on your environment.
The NIST recognizes the importance of proactive counter-measures like this. NIST 800-63B Password Guidelines states that “…verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised… The list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.”
Enzoic is the perfect sponsor for this real training for free event and their CTO, Mike Wilson, will show you some very cool technology that validates AD credentials on a real-time, ongoing basis to ensure user login credentials are not already compromised.
Join us for this real-training-for-free session.