Hardly a day that goes by before some website reports a credential-stuffing attack where harvested usernames and passwords are used to gain access to sensitive information. Lately it was tax software site TurboTax where attackers accessed users\u2019 tax information.This underscores the risk of password reuse. Organizations need a strong password policy to encourage good password practices among employees. Therein lies the rub: Set up a too complex password policy and you increase the user frustration. Also, if a user reuses a complex password they set up inside your firm for a personal website or account and that database is breached, that password that you\u2019ve made sure was strong is now more likely to be harvested and used in a credential-stuffing attack.How to see if employees are reusing passwords Have I Been Pwned?Oh yes, I have!Sites such as Have I Been Pwned (HIBP) allow you to check to see if any of your personal usernames and password combinations have been breached in a database. You can even set up a monitoring service to see if any of your firm\u2019s accounts have breached. The site also provides an API and other services that you can use in a web service to check the security of passwords that any of your customers use to sign up.If you\u2019ve ever signed up for GitHub, you\u2019ve seen this password checking feature in action. As noted in the GitHub blog, checking for reused passwords is a good reminder that once one database is breached, attackers can reuse these credentials elsewhere. Vendors have used the same platform to provide checking features in various web applications and mobile apps.How to set up two-factor authentication (2FA) in WindowsSetting up 2FA in your organization can also reduce risk from password exposure. There are many ways to do this process in Windows.One way to add 2FA to on-premises deployments is through Remote Desktop Services (RDS) and Azure Active Directory. The two-factor method has to be application based or use a voice callback to better protect the RDS implementation. You\u2019ll need the following in place before starting the implementation:RDS infrastructureAzure MFA licenseWindows ServerNetwork Policy and Access Services (NPS) roleAzure Active Directory synched with on-premises Active DirectoryAzure Active Directory GUID IDYou can also add third-party solutions to Active Directory that provide multi-factor authentication (MFA). ESET, for example, provides a solution that allows integration with Active Directory implementations.Those with Microsoft Office 365 can use the Microsoft authenticator app (available for both iPhone and Android) that requires additional authentication when signed in from a new location. To set up the requirement in Office 365, log into the admin account and enable 2FA for your users. Go to \u201cUsers\u201d, then \u201cActive users\u201d and click on the three dots \u201c\u2026\u201d. Then select \u201cSetup multifactor authentication\u201d. MicrosoftSetting up MFAOnce you\u2019ve enabled MFA on your office 365 setup, you can send your users to Microsoft\u2019s MFASetup page to complete the process. Now your Office 365 users will be better protected from phishing attacks.Once you have enabled 2FA on a Microsoft account, you may find that you need an \u201capplication\u201d password to authenticate with older software such as Outlook or Hotmail. You might also need to visit the security basics page to enable and set up an application password. This enables older applications to authenticate properly.Often there is just one password between you and the attacker. Review your options to put more protection between your assets and the attackers. If just one privileged account is accessed, attackers can move laterally inside Active Directory.I often see targeted emails trying to get credentials for online and hosted platforms. Review your current password policies to ensure they provide users with recommendations about setting passwords for external sites. Consider setting up MFA for your own domain and internal resources, and especially on highly sensitive accounts or accounts that might be targeted for phishing. If you can\u2019t enable MFA for all accounts, review those accounts most at risk and put extra protection on them. Urge users in your best practice literature to use MFA when it\u2019s offered and when practical.