One of the biggest dark web threats to businesses is credential compromise. Initial access brokers specialize in selling credentials that unlock the door to companies. Sometimes they gain those credentials from malicious insiders or former employees. In other cases, bad actors buy or obtain huge lists of credentials stolen in other breaches. They are often used in credential stuffing attacks — a cyberattack in which bad actors pelt a company’s defenses with thousands of credentials quickly in the hope that someone at that company has recycled a compromised password. There are more than 24.6 billion complete sets of usernames and passwords in circulation on the dark web, which is four full sets of credentials for every person on earth.
Do not expose your company, or yourself, to a possible username and password compromise. Microsoft recommends the following guidelines for password policy.
Length of Password - Minimum of 14 characters length
Complexity of Password - Require upper case, lower case, numeric, and symbol
Force Password Change - Every 60 days
Do Not Allow Recycle of Passwords - Restricting the use of the last 6
Deploy a MFA (Multi Factor Authentication) tool