Last Updated on September 10, 2021
It’s a fact of business life that password authentication is among the biggest sources of cyber risk, with password reuse across sites leaving orgs wide open to both brute force and targeted attacks. Multi-factor authentication (MFA) is a great way to reduce that risk. But it’s not always possible to implement MFA in every authentication scenario. And even MFA can be hacked.
Hackers can crack passwords and even reverse-engineer hashed passwords. Can businesses leverage these same tools to validate passwords for safety before putting them into use? What are the current capabilities in this regard, and what best practices should forward-looking teams aim to implement?
To cover all the details on how the latest generation of tech can help cut password-related risk, we talked with Josh Amishav-Zlatin, Founder and Technical Director at BreachSense, on a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
NIST SP 800-63 Digital Identity Guidelines recommends screening passwords against databases of commonly used passwords, compromised passwords, and their expected variants. This is a key feature that the BreachSense service provides via an API.
As Josh explains, “You can hook it into your account creation functionality, just query the API and see if [the password] is there. If not, then you can let the user create the account.”
Dealing with unlimited possible variants
But what about variants? Validating passwords against databases via APIs works great… up to a point. There are innumerable expected/potential patterns and permutations of compromised passwords that, thanks to hashcat rules, are already “pre-compromised” because hacker tech can easily derive them, even though they might not explicitly be in your database of leaked passwords.
Balancing risk and effort
What’s the best way to apply current SaaS or homegrown tools to alert you to risk from variations on compromised passwords?
“It’s one of those things where you can have an unlimited number of variations,” Josh notes. “So, you have to call it at some point and say, ‘Okay. We’re going to include in the database X number of variations on this password. If it matches that, then we’re going to include it.’”
What BreachSense does is monitor the “top 10” hashcat rules that show up most often in password variants. This enables you to look for the most likely knockoffs on passwords that your users are submitting, balancing risk against compute time.
“It gives you more insight as opposed to if we weren’t doing anything,” offers Josh. “On the other hand, what happens if the password that the user is submitting we would find on the twelfth rule that we would run if we were cracking the password, but we don’t include that in the database?”
So, while tools like BreachSense aren’t perfect, they add significant value in terms of driving down password risk through automation.
Ready to up your password management game? This podcast episode with Josh Amishav-Zlatin is just what you’re looking for.
Looking for some more great content around password policy? Check out this post: Best-Practice Password Policy and the Research Behind It – Pivot Point Security
Or listen to the podcast episode all the way through: EP#57 – Is Your Business Safe? w/ Josh Amishav-Zlatin | Pivot Point Security