Employees will reuse passwords for work systems for their personal online accounts. Here's how to set up multifactor authentication in a Windows environment to reduce the risk of password compromise. Credit: Thinkstock Hardly a day that goes by before some website reports a credential-stuffing attack where harvested usernames and passwords are used to gain access to sensitive information. Lately it was tax software site TurboTax where attackers accessed users’ tax information.This underscores the risk of password reuse. Organizations need a strong password policy to encourage good password practices among employees. Therein lies the rub: Set up a too complex password policy and you increase the user frustration. Also, if a user reuses a complex password they set up inside your firm for a personal website or account and that database is breached, that password that you’ve made sure was strong is now more likely to be harvested and used in a credential-stuffing attack.How to see if employees are reusing passwords Have I Been Pwned?Oh yes, I have!Sites such as Have I Been Pwned (HIBP) allow you to check to see if any of your personal usernames and password combinations have been breached in a database. You can even set up a monitoring service to see if any of your firm’s accounts have breached. The site also provides an API and other services that you can use in a web service to check the security of passwords that any of your customers use to sign up.If you’ve ever signed up for GitHub, you’ve seen this password checking feature in action. As noted in the GitHub blog, checking for reused passwords is a good reminder that once one database is breached, attackers can reuse these credentials elsewhere. Vendors have used the same platform to provide checking features in various web applications and mobile apps. How to set up two-factor authentication (2FA) in WindowsSetting up 2FA in your organization can also reduce risk from password exposure. There are many ways to do this process in Windows.One way to add 2FA to on-premises deployments is through Remote Desktop Services (RDS) and Azure Active Directory. The two-factor method has to be application based or use a voice callback to better protect the RDS implementation. You’ll need the following in place before starting the implementation: RDS infrastructureAzure MFA licenseWindows ServerNetwork Policy and Access Services (NPS) roleAzure Active Directory synched with on-premises Active DirectoryAzure Active Directory GUID IDYou can also add third-party solutions to Active Directory that provide multi-factor authentication (MFA). ESET, for example, provides a solution that allows integration with Active Directory implementations.Those with Microsoft Office 365 can use the Microsoft authenticator app (available for both iPhone and Android) that requires additional authentication when signed in from a new location. To set up the requirement in Office 365, log into the admin account and enable 2FA for your users. Go to “Users”, then “Active users” and click on the three dots “…”. Then select “Setup multifactor authentication”. MicrosoftSetting up MFAOnce you’ve enabled MFA on your office 365 setup, you can send your users to Microsoft’s MFASetup page to complete the process. Now your Office 365 users will be better protected from phishing attacks.Once you have enabled 2FA on a Microsoft account, you may find that you need an “application” password to authenticate with older software such as Outlook or Hotmail. You might also need to visit the security basics page to enable and set up an application password. This enables older applications to authenticate properly.Often there is just one password between you and the attacker. Review your options to put more protection between your assets and the attackers. If just one privileged account is accessed, attackers can move laterally inside Active Directory.I often see targeted emails trying to get credentials for online and hosted platforms. Review your current password policies to ensure they provide users with recommendations about setting passwords for external sites. Consider setting up MFA for your own domain and internal resources, and especially on highly sensitive accounts or accounts that might be targeted for phishing. If you can’t enable MFA for all accounts, review those accounts most at risk and put extra protection on them. Urge users in your best practice literature to use MFA when it’s offered and when practical. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe