As OneNeck security expert, Kevin Holestine, recently put it, “If someone wanted to buy your compromised customer or employee data, then the dark web is where they’d go. Which is what makes dark web scans a good practice for identifying if your data or accounts have been breached, for whatever reason, without your security tools alerting you.”
Compromised credentials are a hot-ticket item on the dark web, and in malicious hands, can bring devastating consequences to an organization. By adding a dark web scan to the detection toolkit, as well as stringent password policies, it’s possible to stop attacks before they happen.
As a secure managed services provider, we know that security best practices are key to ensure we don’t miss anything, one being the password guidance on digital identity set out by the National Institute of Standards and Technology (NIST). NIST is a non-regulatory federal agency that operates under the Department of Commerce, and they develop information security standards and guidelines that establish the minimum requirements for federal systems – a great set of guidelines for non-government organizations as well. And in an effort to continuously evolve as security strategies evolve, the NIST password guidelines were recently updated to be more user friendly, and by user friendly we mean less complex, easier to remember, but harder to guess.
So, what are the new NIST guidelines for passwords?
- Passwords must contain a minimum of 8 and allow at least 64 characters in length to support the use of passphrases.
- Do not impose other composition rules such as requiring special characters, upper- and lower-case characters, and at least one number, but allow their use.
- When establishing or changing passwords, compare prospective passwords against a list of banned passwords that includes:
- Passwords with sequential and repetitive characters (e.g. 12345 or aaaaaa).
- Context-specific passwords (e.g. the name of the site, etc.).
- Commonly used passwords (e.g. p@ssw0rd, etc.) and dictionary words.
- Passwords obtained from previous breach corpuses.
- No longer require periodic password changes, but force a password change if there is evidence of a compromise.
When it comes to credentials on the dark web, Kevin specifically refers to the last NIST guideline above – force a password change if there is evidence of a compromise.
“Credentials from previous breach corpuses are obtained from the dark web and end up on banned password lists, which ostensibly triggers a password change request as per the NIST guidance. But the window of time that exists between a breach and the emergence of stolen credentials is not insignificant, nor are security tools in place to protect from and detect breaches guaranteed to be 100% effective 100% of the time. This is why dark web monitoring can be a very useful tool for security teams in that it serves as a form of out-of-band breach detection by alerting you when conventional tools may have failed or when a breach occurs via a vector out of your control, such as the compromise of an employee’s personal credentials that lead to the compromise or their corporate credentials.”
In addition to following best practices for password security, a great place to start to ensure your credentials are safe is with a dark web scan. If you’re interested in a dark web scan, we are here to help. Find out if your information is out there before it ends up in the wrong hands.