Password Blacklisting is sometimes considered a bridge solution until organizations can finally implement Multifactor Authentication (MFA). Password blacklisting may get deployed with plans to retire it once MFA is in place. On the surface, this seems to make sense. Once MFA has been implemented, it should not matter if end-user passwords are poor quality, because attacks on those poor passwords would still be thwarted by the extra authentication step of MFA. However, we are here to inform you that you should not forgo Password Blacklisting if you have already implemented MFA. In fact, the best, most secure solution is to use both! Below are some real-world reasons why you should keep using password blacklisting even if you have MFA in place (or plan to soon).
Reason 1 – Exceptions
First off, it is very common that when MFA gets implemented, there will be exceptions for systems/services that just do not (yet) support MFA. Each of these applications/services are holes in your organization’s security and attackers will find them. Most MFA rollouts have at least one of these apps/services that still rely on classic username and password authentication. As many organizations found out the hard way in the summer of 2020, MFA is great, but if your company VPN solution doesn’t use/support it, then very bad things can happen. Attackers can log into the company VPN, impersonating a real company user. Once attackers have direct access to the interior of company networks, it is as if the bad guys are freely roaming the isles of the company datacenter. Nothing good becomes of that!
Reason 2 – MFA Bypass
Another great reason to keep password blacklisting around is that as the prevalence of MFA deployments increases, attackers are changing their ways and are figuring out how to bypass MFA altogether. There have been numerous high-profile MFA-bypasses in the past year. A quick google search shows reports on many of them. But the most disastrous MFA bypass has to be the Solarwinds supply-chain attack announced in late 2020. In order for the attackers to gain access to the source-code of Solarwinds’ popular Orion platform, they first had to bypass the MFA that Solarwinds had deployed. Spoiler alert, the attackers were able to bypass Duo MFA and injected malicious code into the Solarwinds source. The Cybersecurity and Infrastructure Security Agency (CISA) in the US issued an advisory about attackers combining numerous different attack methods, but notably, MFA bypasses.
The Bottom Line
The answer is clear: you should deploy both Password Blacklisting and Multifactor Authentication. MFA deployments can stress the budget, but whereas the cost for a Password RBL subscription is quite reasonable. If you do not have the budget for MFA, then Password RBL blacklisting is a perfect first step – providing an effective addition to your security makeup and fantastic ROI. And if you do already have MFA deployed (or the budget to do so), then you can inexpensively add Password RBL blacklisting for a fraction of the total cost. Either way, Password RBL is for you! Check out our Packages for Small & Medium Business or request a free quote if your organization is larger.
