5 ways to check if any of your employees’ passwords have been leaked or reused
As a security professional, you are always thinking about what can go wrong if an attacker gets access to company data. Passwords may be legacy technology - and we’re certainly not fans of them - but they’re still ubiquitous. If you really have to use passwords, then here are some tips to lessen the considerable security risks that they pose.
Passwords as a security measure have been around a long time, yet we all know that passwords are not secure. The 2018 Verizon Data Breach Incident Report notes that compromised passwords are responsible for 81% of hacking-related breaches. Data from Akamai reports that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials.
But you can’t really blame your employees’ poor use of passwords - people are called on to remember passwords for literally dozens of different accounts. According to a 2019 survey by Google: at least 65% of people admit to using the same password for multiple, if not all, accounts.
Advanced organizations are implementing passwordless solutions, but not everyone has made the transition yet. So the reality for many organizations today is that passwords are still part of the authentication puzzle. If that is the case, you definitely can’t completely prevent password leakage, but you can at least try and stay on top of it so you can take appropriate remedies using the methods below.
1) Google Password Checkup
If your organization uses Google to manage company emails, then you have access to Google’s password manager, which includes their Password Checkup. This tool, which was originally launched as an extension to Chrome at the beginning of 2019 and has since been added into users’ Google account controls, will check user credentials against a database of known breaches as well as some areas on the dark web actively monitored by Google. All activity is done on the local device, so that the results of these checks cannot be seen or stored elsewhere. Users get an alert if or when they sign in with unsafe credentials. However, this is not an administrative-level tool, meaning you will have to ask employees to stay on top of this themselves, for their own corporate Google accounts.
2) Database Review
Another option is to check your employees against a known database of breaches. The most famous publicly available database is Have I Been Pwned. Smaller organizations can enter email addresses manually. Larger companies will want to leverage their API (a paid feature) to check in bulk. Any organization can make use of their domain search or notification features for free.
3) Password Leak Monitoring Tools
There are a number of paid, free or freemium tools available to help companies check whether associated email addresses have appeared in any known leaks. Many of these tools, such as LastPass, incorporate these features as complements to password management services. The tool mentioned from Lastpass, for example, will check a list of email addresses against a database for leaks. They will also show you a list of which websites have had data breaches since your last password change. (Their software refers to this list as “Compromised” – implying that your credentials may have been part of any such leak, though this is not necessarily correct.)
4) Security Consultants and External Vendors
Sometimes it’s a matter of bandwidth, and if your team doesn’t have the time or resources to review email addresses against databases or employ other tools, then outsourcing this crucial review might be useful. Some will help you by automating the database review process mentioned above. Others will integrate tools that proactively block passwords known to be faulty through previous breaches (without infringing upon the security of the individual in question).
5) Ask Your Employees Directly
By far the best way to prevent password reuse, and minimize breaches, is to go passwordless. If that’s not an immediate option, then the next best thing is to have a conversation with the people responsible for their own passwords. Impress upon them the need for impeccable password hygiene – 45% of employees don’t even consider password reuse to be a serious issue. Encourage your teams to try sites like Have I Been Pwned with their own email addresses and passwords (both professional and personal) to see just how serious the issue is. Getting your employees to buy into the concept of password hygiene is essential for network security, when shareable credentials are involved.
What can you do about insecure passwords?
At the end of the day, passwords are ALWAYS going to pose a security risk. The more employees (and therefore, more passwords) your organization has - the greater the risk posed by insecure or leaked passwords. Thankfully, there are better options. As legacy technology, passwords won’t be around for too much longer, but in the meantime, companies must stay diligent about keeping their data safe.
If you would like to see how your organization can enhance security, while doing away with the need for passwords (and the stress of worrying about password hygiene!), then let us show you what we can do!