How to protect against poor Windows password practices

Employees will reuse passwords for work systems for their personal online accounts. Here's how to set up multifactor authentication in a Windows environment to reduce the risk of password compromise.

Hardly a day that goes by before some website reports a credential-stuffing attack where harvested usernames and passwords are used to gain access to sensitive information. Lately it was tax software site TurboTax where attackers accessed users’ tax information.

This underscores the risk of password reuse. Organizations need a strong password policy to encourage good password practices among employees. Therein lies the rub: Set up a too complex password policy and you increase the user frustration. Also, if a user reuses a complex password they set up inside your firm for a personal website or account and that database is breached, that password that you’ve made sure was strong is now more likely to be harvested and used in a credential-stuffing attack.

How to see if employees are reusing passwords

bradley password 1 Have I Been Pwned?

Oh yes, I have!

Sites such as Have I Been Pwned (HIBP) allow you to check to see if any of your personal usernames and password combinations have been breached in a database. You can even set up a monitoring service to see if any of your firm’s accounts have breached. The site also provides an API and other services that you can use in a web service to check the security of passwords that any of your customers use to sign up.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!