Typical Use Cases
A quick overview of some Use cases where this solution could be leveraged.
Use Case: User Registrations within Enterprise Applications
Achieving security is involved at every aspect of the Enterprise IT landscape, includes every Application in the Architecture, and every user using every System. User registrations within enterprise applications play a pivotal role in facilitating access control and personalized user experiences. In the context of enterprise software, user registration involves the creation of accounts for employees or stakeholders within the organization. This process typically entails gathering essential information such as username, email address, and password, and is the first point for checking security w.r.t this new User entity. Adding a security check at the passwords to ensure no leaked passwords are used, enhances the security for not just this one user but throughout the system and throughout the IT ecosystem. User registrations enable administrators to manage permissions and define access levels, ensuring that individuals only have access to the resources and functionalities relevant to their roles, hence a hack at this level even for a single user, leaves the system and potentially the entire IT system vulnerable. Overall, efficient user registrations are integral to the smooth operation, security, and user satisfaction within enterprise applications.
Where is this check done on the Software ?
This check is to be done at the time of "User Registration", when the user enters - "Password / Confirm Password" (or) when user "resets" the default password. In an ideal scenario, once the user has entered the Password, then as part of the password rule validation, this API can be used to also check if it is available in the leaked password store, using this PIV APIs
Is this Check enough to secure the system?
This security check offers some assurance that passwords are safe at this point in time, though this may not be case all the time. On top of this check, we recommend user registrations to implement additional security measures such as multi-factor authentication, enhancing the overall security posture of the enterprise application.
Can you check the "Existing User Passwords" in the system against this leaked database?
May be, if your system allows for it, and this is definitely a good idea. Lets try to understand this sentence a bit more. If your Software system has implemented a "two-way hash" for your passwords (or) any similar system - using which you may be able to get the passwords out of your database, then, it is possible for us to compare the retrieved passwords against the leaked passwords.On the other hand, if your system has implemented a "one-way hash", then, this would be possible only if you know the hashing mechanism of your System (or can re-engineer from your system codebase) then, we may be able to compare the passwords by undertaking the same hashing on the leaked password store for comparison.
Use Case: e-Commerce Platforms (or) Supplier or Client Portals (or) Public facing websites
In e-commerce platforms, supplier or client portals, and public-facing websites, robust password management practices are crucial, especially in light of the ever-present threat of data breaches. Implementing password checks against leaked password databases is a fundamental security measure to safeguard user accounts and sensitive information. By cross-referencing user-provided passwords with known leaked password datasets, these platforms can proactively identify weak or compromised passwords, thus mitigating the risk of unauthorized access and potential data breaches. This proactive approach not only enhances the security posture of the platform but also instills trust and confidence among users, assuring them that their accounts are being safeguarded with stringent security measures. Additionally, educating users about the importance of strong, unique passwords and providing guidance on creating and managing secure credentials further reinforces the platform's commitment to protecting user data and maintaining a secure online environment. In today's threat landscape, integrating password checks with leaked password databases is an essential component of a comprehensive security strategy for e-commerce platforms, supplier or client portals, and public-facing websites.
Where is this check done on the Software ?
This check is to be done at the time of "User Registration", when the user enters - "Password / Confirm Password" (or) when user "resets" the default password. In an ideal scenario, once the user has entered the Password, then as part of the password rule validation, this API can be used to also check if it is available in the leaked password store, using this PIV APIs
Is this Check enough to secure the system?
This security check offers some assurance that passwords are safe at this point in time, though this may not be case all the time. On top of this check, we recommend user registrations to implement additional security measures such as multi-factor authentication, enhancing the overall security posture of the enterprise application.
Can you check the "Existing User Passwords" in the system against this leaked database?
May be, if your system allows for it, and this is definitely a good idea. Lets try to understand this sentence a bit more. If your Software system has implemented a "two-way hash" for your passwords (or) any similar system - using which you may be able to get the passwords out of your database, then, it is possible for us to compare the retrieved passwords against the leaked passwords.On the other hand, if your system has implemented a "one-way hash", then, this would be possible only if you know the hashing mechanism of your System (or can re-engineer from your system codebase) then, we may be able to compare the passwords by undertaking the same hashing on the leaked password store for comparison.