SpyCloud announced it has added a new password filter feature to SpyCloud Active Directory Guardian.
With dozens or hundreds of online logins to manage, people often take shortcuts to keep track of their passwords. They use memorable words or names, easy-to-type strings such as “12345678”, or even passwords they’ve used before.
Because these habits are so commonly followed, they also are easy for bad actors to figure out. As a result, for the last four years, weak and stolen passwords were consistently the top hacking technique identified in the Verizon Data Breach Investigations Report.
SpyCloud Active Directory Guardian now automatically prevents employees from setting risky passwords using a password filter.
When an employee sets a new Active Directory password, the password filter automatically screens the choice for repeated or sequential characters, up to 30,000 entries in a custom dictionary, and billions of exposed passwords found in SpyCloud’s industry-leading database of recovered breach data.
“Despite repeated warnings, people still try to use common and weak passwords,” said Chris Hajdu, Product Manager at SpyCloud.
“It’s a very human thing to do simply because we all have so many accounts and passwords to keep track of, but businesses can’t afford to let these habits put their networks at risk.”
Using Active Directory Guardian’s existing capabilities and the new password filter together, enterprises can enforce stronger passwords and reduce their risk of a data breach caused by weak or stolen credentials.
The password filter ensures that employee accounts are protected with secure credentials from the moment a new password is created. As new breaches occur over time and compromise more credentials, Active Directory Guardian can make sure employee logins remain secure by detecting and resetting exposed passwords automatically.
Because the password filter runs on the domain controller, the password filter is designed to “fail open” to minimize any potential impact on business operations.
In other words, if the password filter fails for any reason, it will allow users to create unchecked passwords rather than locking them out.
Running scheduled or manual scans with Active Directory Guardian provides backup for skipped passwords that might otherwise slip through the cracks.
The password filter also reduces the time and resources required to align with NIST password guidelines, particularly the challenging guidance to check for and reset “commonly-used, expected, or compromised” passwords.
While some NIST password guidelines can be satisfied using the built-in settings within directory services, identifying new data breaches and checking them against user passwords can be a labor-intensive process.
Using the password filter, enterprises can block passwords NIST considers weak or compromised, drawing on SpyCloud’s ever-growing database of exposed passwords.