Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
Automate Password Policy Enforcement and NIST Password Guidelines

Automate Password Policy & NIST Password Guidelines

Enable automated password policy enforcement with daily password auditing and customizable remediation.

With compromised password detection, custom password dictionary, fuzzy matching with common character substitutions, and continuous ongoing monitoring; enterprises can easily adopt NIST password requirements and eliminate vulnerable passwords in Active Directory.

Organizations can adopt NIST password standards to screen for weak, commonly-used, expected, and compromised passwords. Then they can check the password at the time it is created or reset, and monitor it daily against a real-time compromised password database.

NIST 800-63B:
…verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised… The list MAY include, but is not limited to:
– Passwords obtained from previous breach corpuses.
– Dictionary words.
– Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
– Context-specific words, such as the name of the service, the username, and derivatives thereof.

Many organizations are trying to adopt NIST 800-63b password standards but are struggling with the workload associated with it. Automated password policies can help simplify the implementation of NIST password standards without creating a lot of additional burden on the IT team. 

Here are some automated password policy options we recommend for NIST compliance and why organizations should adopt them.

Why Do Organizations Need Continuous Password Protection?

The average person reuses each password as many as 13 times. Most people know better than to reuse passwords, but struggle to recall unique passwords for all of their personal and work accounts. Cybercriminals rely on this lax behavior and prey upon the vulnerabilities caused by password reuse. This is why compromised passwords are responsible for 81% of hacking-related breaches according to the Verizon Data Breach Investigations Report.

IT and Security teams are fighting back with compromised password screening. For example, some IT organizations occasionally download static password blacklists off the Internet and then periodically monitor their passwords against those lists. That is a significant first step, but those lists are typically only 10-20% of the common passwords that attackers use, so they provide limited protection. Additionally, since those lists require manual updates, it doesn’t protect organizations from any recent breach lists.

Screening passwords against a consistently updated list is critical. Attackers are frequently using the freshest exposures they can find because they know the more recent exposures will result in more successful outcomes. If an organization only uses old password blacklists, they are giving attackers a much larger attack window to take over an employee account.

Enzoic for Active Directory is the first product to introduce the ability to do continuous password monitoring against a proprietary password database of previous breach corpuses that is refreshed every day. Enzoic for Active Directory is a NIST 800-63b compliant password solution that uses a password filter to screen passwords being saved. It then continues to monitor the password daily to ensure it doesn’t become unsafe while it is in use.

Screen for compromised or exposed passwords
Enzoic for Active Directory: Screen for Compromised or Exposed Passwords Daily

Why Should Organizations Reject Commonly-Used Passwords?

Many employees use weak or common passwords. Often they are completely unaware of it because they’ve satisfied password policies based on traditional algorithmic password complexity rules. For years the security industry has been trying to educate employees, yet still haven’t been able to secure this vulnerability. Many organizations are now choosing to take this burden off their employees and automating password policies to include screening for normal human limitations and behavior when it comes to passwords.

It starts with preventing common dictionary words. Every English-language word can be found in cracking dictionaries so organizations should prevent employees from using basic dictionary words in isolation. Pairing common words with other words, special characters and numbers can be allowed with appropriate character lengths. Additionally, organizations should block repetitive characters or sequential characters (for example: aaaaaa, 111111). Lastly, there are the most common passwords that attackers know some people will use so organizations should be blocking common passwords (for example: 123456, 12345678, qwerty, abc123, password1, iloveyou, etc.)

Reject Commonly-Used Passwords
Enzoic for Active Directory: Reject Commonly-Used Passwords

Why Will Organizations Block Expected or Similar Passwords?

Most employees will also create or reuse passwords that are context-specific or expected. This can be expected passwords in the form of a root password that gets changed by just a few characters or even just capitalization. Once again, attackers know that this is a common practice on any system with users logging in, so organizations also need to prevent these expected passwords and their various forms.

Organizations should also deploy fuzzy password matching against the entries in their password blacklist. The reason why fuzzy matching is important is if your password is recently exposed online from another site, an attacker will choose to try patterns of that password. They will be highly successful in that endeavor because most people use patterns when selecting their passwords. Fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as common substitutions such as leetspeak and password reversing.

For example: If your exposed password is “HolidayVacation1”, attackers will usually try variations such as:

  • “HolidayVacationi” Leetspeak (substituting numbers for letters like leet= 1337)
  • “1noitacaVyadiloH” reversed password
  • “holidayvacation1” a case-sensitive change

Another common employee password behavior that attacks exploit is using one root password and then use various iterations of it. This practice makes it easier for the employee to remember their password, but unfortunately, it also makes it easy for bad actors to figure out. With this in mind, it is important for organizations to implement password similarity blocking. With password similarity blocking, new passwords are screened by similarity to a former password using the Damerau-Levenshtein distance.

For example: If your compromised password is “HolidayVacation2018” attackers usually try iterations like:

  • “HolidayVacation2019” one-character change
  • “HolidayVacation2020” two-character change
  • “HolidayVacation18” two-digit change

In Enzoic for Active Directory, the systems admin can determine the amount of difference (called distance) that will be required between the old password and the new password. With this password policy, the minimum number of differences would be 1 and the maximum number of differences for this rule would be 8. Companies and organizations have varying opinions on how many characters should be different, including transpositions, between old and new passwords. This configuration allows them to adjust it to the right level for their business.

Block Expected or Similar Passwords
Enzoic for Active Directory: Block Expected or Similar Passwords

Why Would Organizations Screen for Context-Specific Passwords?

Savvy cybercriminals will also attempt to use context-specific passwords to gain access to Active Directory accounts. They know that companies that have headquarters in Boston will be more likely to have employee passwords that include “GoPatriots” due to the New England Patriots. They know that since many organizations enforce quarterly forced password resets, many employees will include seasons in their password like “Winter2019” and they know that many people include their company or product name in their password as well. Attackers exploit context-specific passwords because they are commonly used by employees. To combat this, companies need the ability to create a filter for a custom password dictionary.

With Enzoic for Active Directory, organizations can add up to 5,000 custom passwords stored locally that will be screened and blocked at creation. These words can be a local sports team, years, product names, company names, office locations, etc. Custom passwords are partially matched and case insensitive so any password that includes that word would be blocked. These can also be optionally fuzzy matched if you have fuzzy matching turned on.

For example: If your customer password dictionary includes the word “GeneralElectric”, users would not be allowed to use that word in any password so a password like “ILovegeneralElectric” will be blocked.

Custom Password Dictionary
Enzoic for Active Directory: Custom Password Dictionary.
Block certain words like your company name, the year, local sports teams, etc.

Why Use Enzoic for Active Directory?

How Does Automating Password Policies Help the IT Team?

The goal of automation is to allow IT to set up the password policies and then just let them run. When an existing password becomes vulnerable, the remediation steps are automated instead of needing manual intervention by an Admin or Helpdesk.

Some organizations use password policy enforcement tools that handle one or some of these password policies, but the most recent version of Enzoic for Active Directory can meet all the NIST criteria. There is no additional manual work required. Enzoic for Active Directory serves as a comprehensive, automated password blacklist that filters for weak, commonly-used, expected, and compromised passwords.

Additionally, because organizations have unique needs, automated responses can be customized when compromised or weak passwords are found. The organization can select the appropriate automated action—ranging from prompting the user to change their password to disabling the account. These remediation steps can be set to kick-in immediately or after a predetermined delay. Alerts can also be sent to the user directly and/or an admin or helpdesk so the right individuals are kept informed.

Automate Password Policy Enforcement
Enzoic for Active Directory: Automate Password Security.

What Type of Visibility into Password Screening is Available?

Enzoic for Active Directory has also incorporated additional insights into the product. It has enhanced usage tracking so Active Directory administrators can see the total number of detections, including the number of detections due to fuzzy matching, local dictionary or password similarity matching. With log files now stored in a JSON format, outside consumption by SIEM and log management tools can help streamline reporting.

password screening
Enzoic for Active Directory: Visibility into Password Screening

What Installation is Required?

Enzoic for Active Directory runs on each domain controller so it can check every password wherever it is being created; however, it only needs to be configured once. All of its configuration settings are stored in Active Directory itself and automatically shared across other domain controllers to make it easy. With the installation wizard, it is easy to install so you can get it up and running fast. Some customers have it fully implemented it in 3 minutes, but of course, that depends on the complexity of your environment.

Automate Password Policy and Adopt NIST Password Standards

Enzoic for Active Directory enables quick-to-deploy automated password policy enforcement and daily exposed password screening. With fully automated weak password filtering, fuzzy password matching, password similarity blocking, and custom password dictionary filtering; enterprises can easily adopt NIST password requirements and secure passwords in Active Directory.

Contact info@enzoic.com to learn more about the benefits of Enzoic for Active Directory for automating password policy.

TLDR: Latest Version of Enzoic for Active Directory:

  • Daily Screening: Continuous exposed password filtering
  • New Exposures: Detects if a safe password becomes exposed
  • Automated: No extra manual work
  • Insight: Dashboard and SIEM logging
  • Quick: Checks in milliseconds
  • Quiet: Does not impact all employees, just employees with bad passwords
  • Easy to install: Takes a short amount of time to install
  • NIST 800-63b Compliant: Automation for NIST password standards
Active Directory passwordsNIST 800-63bPassword Policy

Search

Browse blog categories

  • Account Takeover (19)
  • Active Directory (31)
  • all posts (78)
  • Continuous Password Protection (14)
  • COVID-19 (3)
  • Cracking Dictionaries (2)
  • Credential Screening (15)
  • Cybersecurity (28)
  • Data Breaches (9)
  • EdTech (1)
  • Enzoic Customer (2)
  • Enzoic News (7)
  • Enzoic Recognition and Awards (5)
  • Financial Services Cybersecurity (2)
  • Gaming Cybersecurity (1)
  • GDPR (1)
  • Healthcare Compliance (6)
  • Insider Threats (6)
  • Law Firm Cybersecurity (2)
  • Loyalty and Reward Programs Security (1)
  • NIST 800-63 (19)
  • Password Hygiene (4)
  • Password Tips (30)
  • Regulation and Compliance (3)
  • SMB Cybersecurity (2)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • Pride and Passwords: Top Hacking Methods & How to Prevent Them
  • Cybersecurity and What’s Not Working from Home
  • From Paper to Passwords: Digitizing the Voting Process
  • From NIST Guidelines to Real-World Solutions?
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2020 | Privacy Policy | Acceptable Use

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website