An average person on the Internet reuses their same password across multiple sites more often than we'd prefer, which has increasingly resulted in account compromise headaches felt both by them and the sites they visit. Most organizations have limited options to prevent password reuse altogether, but they can take advantage of the same data used by attackers: password leaks.
Large companies (like Microsoft, Google, Facebook, and Yahoo!) have started proactively searching for the passwords leaked by other sites and then finding matches within their own user populations. They can then force a password change or require supplemental authentication to make certain the legitimate user keeps control of their account.
This presentation discusses what exactly is involved in processing this ill gotten data, as well as whether it makes sense for your organization to integrate this into your information security program.
Bruce is a security consultant that founded the PasswordResearch.com web site over a decade ago. He aims to introduce more professionals to new and existing authentication research so they can better justify secure system design and policy choices. He has previously shared his experiences with authentication and other topics at the Black Hat, SANS, and InfoSec World conferences.