Shield: Frontline Defense Against Password Attacks

September 25th, 2019   |     |  product and technology, security & compliance

You don’t need us to tell you that data breaches are on the rise. A glance at your smartphone’s push alerts or news headlines tells the story all too well. Although hackers are developing more sophisticated tactics, weak or reused passwords remain the biggest threat to companies around the world. In fact, 81% of hacking-related breaches use stolen and weak passwords. With more than 70% of employees reportedly reusing passwords at work, the scale of the threat that faces businesses becomes crystal clear. Weak and reused passwords leave organizations more susceptible to data breaches.

What can OneLogin do to help?

As a company, we’re in the business of helping our customers prevent data breaches. This begins with enforcing strong password requirements throughout your organization. So, how do you ensure all employees adhere to strong password requirements?

If you currently use a single sign-on (SSO) solution like OneLogin, it’s simple for users to secure their accounts with strong passwords. SSO gives users far less passwords to remember and limits the temptation to create weak passwords or reuse passwords. With Shield, we’re pleased to build upon the security of SSO and empower end-users to improve their own password hygiene.

What is Shield?

Shield is a solution that builds upon OneLogin’s existing threat capabilities. When the Shield browser extension is installed, it protects consumers and enterprises from password reuse, identity reuse, weak password practices, and phishing. It works with any existing identity provider to provide three key capabilities:

  • Stop Insecure Password Practices: prevents users from the high-risk practice of using identical or commonly used and insecure passwords across any website, including personal and corporate applications
  • Prevent Corporate Identity Misuse: addresses users using corporate accounts for personal applications, an insecure practice given the risk of third-party application compromise and ability of cybercriminals to use third-party apps as an entry point for data breach
  • Defend Against Phishing: identifies websites that have a high probability of fraud and attempt to trick users into entering their credentials

How does it work?

First and foremost, Shield is designed with user privacy in mind. It was developed as an open-source tool that doesn’t analyze or store passwords. Instead, Shield simply analyzes password hashes to identify password reuse. Password hashes stay in the browser and are never transmitted back to a server or anywhere else.

Once downloaded, Shield will automatically appear in the browser’s toolbar and starts to detect instances of weak or reused passwords. If a user attempts to log in using a weak or reused password, Shield will notify the user.

While Shield is available to everyone as a free service. We will also offer an enterprise-grade version with additional functionality like administrator alerts, the ability to suspend user accounts if malicious activity is detected, and the ability to export intelligence to Security Information and Event Management (SIEM) tools for additional reporting, analysis, and compliance.

Why does it matter?

Organizations can ill-afford to overlook the issue of weak passwords and password reuse. Data breaches not only have a reputational impact, but also an economic impact on businesses. In 2018, the average cost of a breach was $3.86 million worldwide and $7.91 million in the United States. Let that sink in.

Closing thoughts…

Hackers thrive on poor password practices. They understand how simple it is to find or buy stolen credentials on the dark web and use them in brute force and credential stuffing attacks. When passwords are reused, it’s only a matter of time before a hacker lands a successful credential-stuffing attack. Shield empowers users by reminding them of the risks involved in weak credentials and or password reuse. It fosters a culture of strong password practices by generating awareness among end-users. Users are more conscious and less inclined to use weak passwords or re-use passwords when they’re called out. So, think of Shield as your frontline of defense against password attacks, as well as your company’s purse and reputation. You’ll be glad you did!

Learn how you can protect your organization from password attacks with Shield. Read the press release.

About the Author

Rich Chetwynd founded Litmos, the market-leading learning technology company, as well as ThisData, a data security company leading the way in Account Takeover (ATO) attack detection. After ThisData was acquired by OneLogin in Summer 2017, Rich began working with the OneLogin engineering team with a focus on adaptive authentication.

View all posts by Richard Chetwynd

About the Author

Rich Chetwynd founded Litmos, the market-leading learning technology company, as well as ThisData, a data security company leading the way in Account Takeover (ATO) attack detection. After ThisData was acquired by OneLogin in Summer 2017, Rich began working with the OneLogin engineering team with a focus on adaptive authentication.

View all posts by Richard Chetwynd

Secure all your apps, users, and devices