Dark Web Monitoring: Your Employees Are Likely Using Compromised Passwords
Simple, proactive steps every company can take
Think your enterprise password policy is keeping your organization secure from attack?
Since 2005, more than 11.78 billion records have been breached through various types of attacks, such as malware, phishing, and credential stuffing. These records—including corporate logins—frequently end up for sale on the dark web, then are used to gain unauthorized access to organizations and websites.
As one example, a group known as “Shiny Hunters” leaked over 73 million records on the dark web, including data stolen from Microsoft’s private GitHub repositories.
So much for enforcing strong passwords and mandatory password changes.
Because employees are likely to reuse passwords across multiple websites and applications, your organization’s risk of being compromised increases dramatically—notwithstanding your enterprise password policy.
While a strong password policy can help protect your organization, that’s not enough to address the potential threat. Are there better ways to prevent employees’ credentials from being compromised and made available for sale on the dark web?
Start a free 14-day trial of Dashlane and run a dark web scan today—no credit card required.
NIST recommends scanning for compromised passwords
The National Institute of Standards and Technology (NIST) has published recommendations to address the concern about evolving password attacks. NIST Special Publication 800-63B recommends organizations actively check for exposed passwords “against a list that contains values known to be commonly-used, expected, or compromised.”
This list could include:
- Passwords obtained from previous breaches
- Dictionary or common words
- Repetitive or sequential characters
- Context-specific words, such as the name of the service or the username
The challenge lies in finding a list—how do you know if it’s accurate and current enough to tell you if your employees’ credentials have been compromised?
If you have to ask that question, then you already know the answer. A static list downloaded from the internet won’t be updated in real-time, and therefore isn’t adequate. Not to mention that in order to keep that list current, you’ll need to regularly update it manually—a time-consuming and inefficient process at best.
Thankfully, there’s a much easier way to follow the NIST 800-63B recommendations: a password management solution.
Dashlane monitors for compromised passwords
An enterprise password manager should offer the ability to actively monitor the dark web and alert you when any employee’s logins have been compromised.
For example, Dashlane’s Dark Web Monitoring feature:
- Scans the dark web for any leaked data and automatically alerts employees through the web app when their personal information, such as their phone number or address, is part of a data leak.
- Recommends specific actions the affected employees can take to mitigate risk due to their compromised data.
By empowering employees to easily remediate their security risks, Dashlane’s proactive approach gives them the peace of mind that they’re not your organization’s weakest link.
Additionally, Dashlane provides Dark Web Insights for IT admins. Dark Web Insights offers real-time alerts and insights into security breaches and other vulnerabilities affecting employees. This tool:
- Allows admins to easily detect, assess, and remediate security risks in one central place.
- Provides a holistic and proactive approach to security so your organization can mitigate threats before they escalate.
Simple actions employees can take to minimize risks
Not every breach can be resolved in the same fashion, but there are a few things you can do to protect your organization further. Empower your employees to:
- Change the passwords for any of their accounts flagged in the dark web notification.
- Update any other accounts that use the same flagged passwords, and avoid reusing any previously compromised passwords.
- Enable two-factor authentication (2FA) for all their accounts that offer it. With more employees working remotely, 2FA adds an extra layer of protection to ensure a network breach doesn’t occur due to poor password hygiene.
If your employees have corporate credit cards and an account shows up in a breach, contact the company directly. Financial institutions often have their own fraud detection services and can take the necessary steps to protect your company’s financial accounts.
Protect your business
Above all, consider the importance of dark web monitoring for all your employee credentials and passwords. Use your enterprise password management tool to scan the dark web for leaked information and get alerts so you always stay in the know about any potential malicious activity or unauthorized breaches of your organization.
Want to learn more about Dashlane’s Dark Web Insights and Dark Web Monitoring features? Read our latest blog.