Preventing Pwned and Reused Passwords

Most of the companies are focusing on improving their security as the pandemic continues and people continue to work remotely. But one of the most critical areas of security is often overlooked i.e., password.

Weak, reused and pwned passwords have long been a security nightmare for everyone. So, in this article we will learn about them and how we can improve our passwords and security.

Why prevent password reuse?

One way that cybercriminals compromise environments is by making use of breached password data. This allows launching password spraying attacks on the environment.

Password spraying involves trying only a few passwords against a large number of end-users. In a password spraying attack, cybercriminals will often use databases of breached passwords i.e., pwned passwords, to effectively try these passwords against user accounts in your environment.

Detecting whether our Password is Pwned or not

The Have I Been Pwned website, operated by security expert Troy Hunt, is a valuable resource for the security community. Troy Hunt has provided a number of resources on the site that allow organizations to make use of and gain awareness of various security threats.

Using HIBP, we can discern if passwords in their environment have previously been exposed to data breach events.

Troy Hunt has provided an HIBP API that is freely available and allows making real-time API calls from various software applications to the HIBP API to check passwords used across multiple software forms and many other purposes. Some of the API calls and information that can be returned include the following:

• Getting all breaches for an account

• Getting all breached sites in the system

• Getting a single breached site

• Getting all data classes

Protecting against Pwned Passwords

Specops Password Auditor is a free tool currently offered by Specopssoft that provides IT admins with the ability to scan their environment for many different types of password risks.

With Password Auditor, we can find:

• Blank passwords

• Breached passwords

• Identical passwords

• Expiring passwords

• Expired Passwords

• Password policies

• Admin accounts

• Password not required

• Password never expires

• Stale admin accounts