Employees will reuse passwords for work systems for their personal online accounts. Here's how to set up multifactor authentication in a Windows environment to reduce the risk of password compromise. Credit: Thinkstock Hardly a day that goes by before some website reports a credential-stuffing attack where harvested usernames and passwords are used to gain access to sensitive information. Lately it was tax software site TurboTax where attackers accessed users’ tax information.This underscores the risk of password reuse. Organizations need a strong password policy to encourage good password practices among employees. Therein lies the rub: Set up a too complex password policy and you increase the user frustration. Also, if a user reuses a complex password they set up inside your firm for a personal website or account and that database is breached, that password that you’ve made sure was strong is now more likely to be harvested and used in a credential-stuffing attack.How to see if employees are reusing passwords Have I Been Pwned?Oh yes, I have!Sites such as Have I Been Pwned (HIBP) allow you to check to see if any of your personal usernames and password combinations have been breached in a database. You can even set up a monitoring service to see if any of your firm’s accounts have breached. The site also provides an API and other services that you can use in a web service to check the security of passwords that any of your customers use to sign up.If you’ve ever signed up for GitHub, you’ve seen this password checking feature in action. As noted in the GitHub blog, checking for reused passwords is a good reminder that once one database is breached, attackers can reuse these credentials elsewhere. Vendors have used the same platform to provide checking features in various web applications and mobile apps. How to set up two-factor authentication (2FA) in WindowsSetting up 2FA in your organization can also reduce risk from password exposure. There are many ways to do this process in Windows.One way to add 2FA to on-premises deployments is through Remote Desktop Services (RDS) and Azure Active Directory. The two-factor method has to be application based or use a voice callback to better protect the RDS implementation. You’ll need the following in place before starting the implementation: RDS infrastructureAzure MFA licenseWindows ServerNetwork Policy and Access Services (NPS) roleAzure Active Directory synched with on-premises Active DirectoryAzure Active Directory GUID IDYou can also add third-party solutions to Active Directory that provide multi-factor authentication (MFA). ESET, for example, provides a solution that allows integration with Active Directory implementations.Those with Microsoft Office 365 can use the Microsoft authenticator app (available for both iPhone and Android) that requires additional authentication when signed in from a new location. To set up the requirement in Office 365, log into the admin account and enable 2FA for your users. Go to “Users”, then “Active users” and click on the three dots “…”. Then select “Setup multifactor authentication”. MicrosoftSetting up MFAOnce you’ve enabled MFA on your office 365 setup, you can send your users to Microsoft’s MFASetup page to complete the process. Now your Office 365 users will be better protected from phishing attacks.Once you have enabled 2FA on a Microsoft account, you may find that you need an “application” password to authenticate with older software such as Outlook or Hotmail. You might also need to visit the security basics page to enable and set up an application password. This enables older applications to authenticate properly.Often there is just one password between you and the attacker. Review your options to put more protection between your assets and the attackers. If just one privileged account is accessed, attackers can move laterally inside Active Directory.I often see targeted emails trying to get credentials for online and hosted platforms. Review your current password policies to ensure they provide users with recommendations about setting passwords for external sites. Consider setting up MFA for your own domain and internal resources, and especially on highly sensitive accounts or accounts that might be targeted for phishing. If you can’t enable MFA for all accounts, review those accounts most at risk and put extra protection on them. Urge users in your best practice literature to use MFA when it’s offered and when practical. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe