Focused on Compromised Credentials,Colorado-based PasswordPing Blocks Account Takeover and Credential Stuffing Attacks

Billions of username and password combinations are circulating on the Internet and Dark Web from a record number of 3rd party data breaches. These compromised credentials have become the new cybercriminal attack vector, leaving workforce and customer accounts open to penetration, fraud, and PII loss.

Founded in 2016, PasswordPing was one of the first companies to recognize the extent of this vulnerability and develop a service for organizations to securely check users’ current credentials against those that have been exposed.

Credential screening has subsequently appeared as part of new industry standards for authentication, including in NIST (National Institute of Standards and Technology) guidelines that now require checking new passwords against a list that contains values known to be compromised.

As a result, PasswordPing has seen rapid growth through both direct sales and partnerships, protecting millions of end users.

“With experienced leadership at the helm and ground-breaking technology, PasswordPing is poised to take its growth to the next level with expanded product offerings and additional partnerships in 2019. We are on track to grow 30x between 2016 and 2018 and we are continually evolving our business strategy to keep pace with the ever-changing security market,”

Mike Greene, CEO of PasswordPing.

Better Understanding The Threat from Comprised Credentials

Because most people re-use the same password across multiple websites, it is easy for the cybercriminals to obtain credentials that work in other environments that haven’t previously been breached. 

Bad actors conduct credential stuffing attacks using automated tools to try to login to sites using compromised credentials. Even only a small success rate allows the attacker to take over many accounts, draining them of value and obtaining sensitive personal information that can be used to conduct further attacks.

The results of research by Verizon Data Breach Investigations in 2017 showed that nearly two thirds of data breaches involve weak or stolen login credentials, with substantial damage to reputation and financial loss.

How PasswordPing’s Service Works

PasswordPing’s portfolio includes three unique offerings that are combined into a variety of different use cases to meet their customers’ requirements: a Passwords service is used to validate that new passwords were not previously exposed or found in common cracking dictionaries; an Exposures servicealerts when new exposures for a user or domain occur; and a Credentials service uses a unique approach to securely check full username and password combinations to prevent account takeover fraud.

“Credential stuffing and account takeover (ATO) attacks are serious concerns for most organizations, putting corporate networks at risk and costing billions annually in fraud. This is mainly due to users reusing passwords across multiple sites, coupled with the ease with which cybercriminals can obtain large lists of compromised credentials. This means that even if your organization has not been directly breached, your users’ accounts can still be easily hacked if they reuse passwords. Any company, non-profit, or government agency with online account access can benefit from PasswordPing’s solutions, which are the industry standard for proactively protecting website login forms and corporate directory services,”

Josh Horwitz, COO of PasswordPing

Driving Innovation in Authentication Security

PasswordPing is an innovation-centric company with R&D efforts led by company Founder and Chief Technology Officer, Mike C. Wilson. Mike is a cyber-security veteran, with 20 years of experiencein large, commercial software development, and 12 years specifically in the information security field.

Mike recognized the importance of addressing authentication security without adding friction to the user experience. Unlike other approaches that add steps to the login process or require particular hardware, PasswordPing works seamlessly by checking credentials in the background and providing a clear indication if the credentials are no longer secure. For organizations where the user experience can create a competitive advantage, PasswordPing developed a way for companies to differentiate themselves from their competition.

Mike has continued to bring innovation to this area of security, including being the first to develop techniques for credential comparisons that work with salted, strong hash algorithms.And more recently, being the first to introduce partial hash data exchanges for secure, full credential comparisons where actual credential data never leaves the owner’s environment.

PasswordPing’s credibility in the compromised credential screening space is so strong that their blog posting on the new NIST password guidelines comes up in search engine results before the actual NIST website.Today, PasswordPing is the only cyber-security vendor that is actively screening for uncracked compromised credential combinations, not just blanket exposed passwords.

Commitment to Enterprise Security

At PasswordPing, the security of infrastructure and systems are a critical priority.Its cloud-based infrastructure is hosted by Amazon Web Services on an architecture built to meet the requirements of the most security-sensitive organizations.

PasswordPing does not expose its application tier or data tier servers to the public Internet; only the outer web tier servers of the multi-tiered architecture are publicly accessible, and only over HTTPS.

The compromised credentials in PasswordPing’s database are encrypted and only stored in a salted and strongly hashed format where they have absolutely no way of recovering the original data.

PasswordPing does not rely on cracking passwords to provide the service, which enables more robust coverage of dark web data and reduces the risk of becoming a hacking target.

They never store submitted data, it is kept in memory on servers only long enough to perform the database lookup, and then the memory is zeroed out at the end of the call.

PasswordPing is quickly becoming a security company that other security companies trust with LastPass and other leading IAM and SSO vendors as customers and partners.

“PasswordPing goes far beyond just notifying users if they’ve been part of a data breach.We check to confirm whether current credentials are compromised, reducing unnecessary admin alerts and end user frustration.”

Kristen Ranta Haikal Wilson, CMO of PasswordPing

Meet the Executive Leadership Team

Michael Greene, CEO: Prior to PasswordPing, Michael was the CEO of ID Watchdog, an identity theft protection company that was sold to Equifax in 2017. Before IDWatchdog, Mike held senior management positions at Symantec, Webroot, Thompson Micromedix, Raindance, and Baxter.

Mike C. Wilson, CTO: Prior to founding PasswordPing, Mike worked at Webroot where he led the development of Spy Sweeper and the development of Webroot’s first mobile security product. Prior to Webroot, Mike led the development of an anti-malware product for the MSP space at LogicNow. Mike started his career in the high-security environment at NASA, working on the mission control center redevelopment project. 

Josh Horwitz, COO: Prior to joining PasswordPing, Josh was the founder of a cloud-based, enterprise customer-marketing platform, Boulder Logic, whose clients included Microsoft, Siemens, Dell, and CSC.He grew the company as the CEO for over 10 years and ultimately led the company’s exit in 2015. Prior to founding his company, Josh held senior technology and sales positions with both start-ups and Fortune 500 companies, including IBM.