In many cases, passwords are the primary line of defense protecting user accounts from being hijacked in an account takeover (ATO) attack. With the right policies and parameters in place to ensure strong, unique passwords, this defense can be quite effective. That being said, as we all know, passwords are highly susceptible to human fallibility.
According to a 2019 survey by Google, a staggering 65% of participants report using the same password across multiple accounts. And all too often, there is an overlap between personal and work-related account passwords. With the rise of credential stuffing, adversaries can take a set of username/password combinations obtained by attacking one target and use them to compromise employee or customer accounts with other organizations. Easier yet, threat actors can even carry out credential stuffing using the low-hanging fruit of publicly disclosed dumps available on the open web.
Such activity can pose a business risk on several fronts—from the financial and reputational costs of fraud against customer accounts to the potentially massive impact of adversaries gaining privileged network access though ATO against an employee account.
As the technology and tools to leverage stolen credentials advance, a more thoughtful approach to your organization’s password policy is a highly effective way to reduce risk by better protecting your customers, network assets, and employees. While there’s no one-size-fits-all approach to optimizing password policy, the following measures and best practices are worth considering:
● Monitor for Compromised Credentials - Dumps containing compromised passwords, usernames, and other credentials are easy pickings for threat actors, and employee or customer accounts using these credentials are ripe for the taking. B ..
Support the originator by clicking the read the rest link below.
