Research reports show that account compromises aren’t decreasing
Published: Nov 25, 2024
Multi-Factor Authentication (MFA) has become important for user security within Active Directory environments. By implementing additional verification steps, MFA makes it more difficult for adversaries to gain unauthorized access and it is essential for any organization aiming to secure its Active Directory infrastructure.
However, despite investing heavily on MFA to stop cyberattacks, top research reports show that account compromises aren’t decreasing. Rather, stolen passwords have risen to become the top cause of a data breach. This shows that even with MFA integrated into the Active Directory (AD) authentication flow, the security of each authentication factor is crucial for receiving the security benefits of MFA. So, there is still a need for a defense-in-depth approach that ensures credentials are secure rather than relying solely on MFA as a compensating control.
According to the Verizon 2024 Data Breach Investigations Report, stolen credentials remain a consistent and widespread threat to all organizations, including those using Active Directory. The report makes it clear that hackers are exploiting systems using default, weak, or compromised passwords to gain unauthorized access.
Even with all the advancements in MFA and other technologies, these cybercriminals persist in using stolen credentials because they’re so effective, easy to find on the Dark Web, and often provide a direct route straight into an organization’s systems.
This unexpected trend raises some important questions: How can attackers bypass MFA so consistently, and how can organizations better secure their authentication?
Although MFA is an important compensating control, attackers have found ways to get around this control in AD environments. Recognizing these tactics is essential so that organizations can understand why strong passwords need to be the foundation of authentication security. Here are some prevalent techniques used by threat actors to bypass MFA:
Securing user credentials directly in Active Directory is key to reducing the risk of MFA bypass. Attackers often need access to passwords as the first step in bypassing MFA. If credentials are exposed, such as through the Dark Web, it gives attackers the opening they need to compromise accounts.
By ensuring every authentication factor is secure and that passwords remain protected, organizations can achieve true multi-factor authentication and close many of the gaps that attackers exploit to compromise accounts. Proactive measures include:
Even if your systems haven’t been directly breached, your organization’s credentials can still be compromised through the combination of external data breaches and password reuse. When people reuse the same password across different sites, it greatly increases the risk of a company-wide compromise.
For instance, if someone in your organization uses the same password on another site that gets hacked, attackers can then use those stolen credentials to access your company’s accounts. Due to the prevalence of breaches, a user might have multiple personal passwords compromised, allowing attackers to establish a pattern that an employee uses for passwords, making it easy for attackers to guess the password even if they change it slightly across platforms.
This is a common problem. According to Bitwarden’s 2023 Password Decisions Survey, ninety percent of users admit to reusing passwords across platforms, creating a widespread vulnerability.
Recent breaches show how dangerous password reuse can be. In December 2023, nearly 36 million Comcast Xfinity customers had their usernames and passwords leaked. If those same passwords were used for other important accounts, like to authenticate into your organization’s systems, this poses a substantial risk. And while large breaches make headlines, many smaller ones, which aren’t well-publicized, also pose an outsized risk.
When credentials are compromised in one breach, cybercriminals can use them to access other accounts, leading to a cascade of security issues such as fraud, identity theft, phishing attacks, ransomware, and more. This domino effect means that a breach in one organization can quickly spread and affect many others.
The IBM 2024 Cost of a Data Breach Report looked at the serious financial impact of data breaches caused by compromised credentials. The global average cost of a data breach has risen to $4.88 million this year, a 10% increase from last year. Compromised credentials rose to be the top cause of a data breach. In addition, they were also among the toughest to remediate, taking on average 292 days to detect and contain, the longest of any type of breach.
Depending too much on MFA for securing the authentication flow can give organizations a false sense of security. Companies might skip other security steps—like properly monitoring for and remediating compromised credentials—because they assume MFA has them covered. This kind of complacency is risky.
On top of that, the common practice of forcing regular password changes (such as every 3 or 6 months) to secure credentials has been shown to be counterproductive, which is why the latest NIST 800-63B guidelines actually advise against this approach. Why? Because it doesn’t actually improve password quality and ends up causing users to create weaker passwords by reusing old ones or opting for simple, easy-to-guess patterns.
While MFA adds an extra layer of security to Active Directory environments, the ongoing issue of compromised passwords shows that more needs to be done. Enzoic for Active Directory tackles this problem head-on by directly securing user credentials, ensuring that passwords—the first line of defense—are strong and uncompromised.
Enzoic for Active Directory is an easy-to-install plugin that keeps a constant watch on user credentials by checking them against a real-time database of known compromised passwords. It does this securely by sending partial password hashes for comparison, so your sensitive data stays within your network. Because Enzoic’s database is always updated with the latest information from the Dark Web and other sources, you can be confident that passwords safe today remain safe tomorrow.
If Enzoic discovers that a user’s password has been exposed in a data breach, it can automatically take action, like requiring the user to change their password or disabling the account if necessary. This proactive approach stops attackers from exploiting compromised passwords, even if the breach happens after the password was created. By acting quickly, organizations can prevent small issues from turning into major security incidents.
Enzoic for Active Directory enforces customizable password policies every time a password is created or changed. It prevents users from choosing weak or commonly used passwords, including those that are simple variations or include parts of their username. With features like custom password dictionaries and detection of root or similar passwords, it helps users create strong, unique passwords. Plus, with one-click compliance with NIST 800-63B guidelines, organizations can easily meet industry best practices without making password requirements overly complicated for users.
By eliminating the need for regular password resets—which often frustrate users and lead them to choose weaker passwords—Enzoic improves the user experience. Users are less likely to reuse passwords or choose simple patterns. For system administrators, the automated monitoring and response features reduce the workload that comes with manual password checks and reset processes. Customizable notifications and reporting tools give admins useful insights without overwhelming them with too much information.
Enzoic for Active Directory fits easily into existing Active Directory setups, whether they’re on-premises or hybrid environments. It works alongside your existing security measures, including MFA, by addressing the weaknesses associated with compromised passwords. Features like easy integration with SIEM systems and the ability to create different group policies allows your organization to customize the solution to fit your specific needs, enhancing security without adding extra complexity.
By focusing on securing passwords—the first factor in authentication—Enzoic for Active Directory addresses the security gaps that MFA alone can’t fix. It understands that attackers often need the password to even try to bypass MFA. By ensuring passwords aren’t compromised, Enzoic reduces the chances that attackers can get to the point of trying to bypass MFA. This comprehensive approach to securing every part of the authentication process significantly lowers the risk of unauthorized access.
MFA can be the last line of defense for an organization against compromised credentials. However, strong passwords should be a foundational control in any MFA implementation. Strengthening passwords is crucial to addressing the security gaps that MFA alone cannot cover within Active Directory.
By securing credentials as soon as they are exposed or compromised, especially those easily accessible to attackers on the Dark Web, organizations can significantly reduce the risk of account breaches. Key actions include ongoing monitoring, automated remediation of compromised credentials, and educating users on best security practices. Strengthening every part of the authentication process will better protect sensitive data and help organizations maintain the trust of their customers and stakeholders.
To learn how you can continually scan for compromised passwords in your environment and proactively prevent account takeover, download a trial of Enzoic for Active Directory today.