Last Updated on August 31, 2021
Passwords are probably the weakest link in nearly every company’s security defenses. Despite your best efforts, your users continue to make a mockery of password best practices—especially by reusing readily guessable passwords across multiple personal and business applications. If hackers can get one of those reused passwords from a data breach and use it to mount a credential stuffing or phishing attack, your network is a sitting duck. The recent Colonial Pipeline breach was caused by a single compromised password.
Can you know if a password in use within your domain has been compromised in a breach elsewhere? What are the best password policies to protect your sensitive data from password-related exploits?
To share the latest tools and best practices for reducing password-related risk across your company, the latest episode of The Virtual CISO Podcast features Josh Amishav-Zlatin, Founder and Technical Director at BreachSense. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
How BreachSense works
Josh summarizes BreachSense as akin to Troy Hunt’s famous Have I Been Pwned site, but with an enterprise versus individual focus. BreachSense empowers security teams with visibility on compromised passwords across your domain, so you can reset stolen usernames and passwords before hackers can exploit them.
Besides notifying you about breached credentials, BreachSense also cracks breached passwords so you have them in plain text. From there, you can hash them back and compare them against your hashed password values. That way you know for sure if the compromised password is in use within your organization or not—giving you a more accurate picture of your actual risk and whether you need to force a password update.
This ability to know your actual risk from breached passwords has a huge value proposition, especially if you have a lot of users. Because if you’re not sure if users’ passwords have been breached or not, you might need to force a wholesale password reset “just in case.”
Focus on passwords
Josh emphasizes that BreachSense is “laser-focused just on passwords,” and not on, for example, credit card or email address data.
“From our standpoint, a lot of that information is probably publicly available,” explains Josh. “So the fact that your email address was breached is not really a big deal. We want to have a very high signal-to-noise ratio. So anytime you get an alert, there’s something actionable that you can do and there’s actual risk associated with that.”
To help keep the signal-to-noise ration as high as possible, BreachSense has a number of filters that you can configure, such as a date filter. That way, you’ll see only alerts that relate to newly available breach data.
“Essentially, we’re just an API,” Josh clarifies. “You can setup alerts, and you can setup various filters to get information. You can say, ‘Just show me breaches associated with a given domain name or an email address that were imported into the [BreachSense] database on or after a certain date.’”
If significantly reducing password-related risk without a lot of added effort sounds like music to your ears, be sure to catch this podcast episode with Josh Amishav-Zlatin.