Password best practices: Lessons learned from recent hacks
09 September, 2013
category: Corporate, Digital ID
By Charles McColgan, CTO, TeleSig
According to the Ponemon Institute, 55% of small businesses across the U.S. had some form of data breach and 53% had multiple breaches. More than 50% is a scary number, and data breaches can impact all organizations, big and small. Just consider the recent examples from some very high profile companies that made front-page news including Skype, LivingSocial and the Associated Press. Though these hacks were very different, the following common best practices could have lessened the sting.
Make sure your users never use the same password twice
Users should have a random and different password for each site they use. The problem with a stolen password is that frequently the user has leveraged the same password across several accounts. Users are lucky when they find out about a hack because then they can change the password on their compromised account and any other account with the same password. The more insidious and damaging hacks are the ones that are go unnoticed for a period of time. Unless a site provides two-factor authentication, users should assume that any of their accounts could be compromised with a guessed or cracked password. Since users are generally resistant to creating and maintaining multiple passwords, recommend that they store these passwords using a service like LastPass or software like Password Safe.
Salt your passwords. In fact, double salt them
For password storage, passwords must be hashed and salted – a process that increases security for stored passwords – in fact double-salting passwords is better. Double salting passwords and storing the second salt somewhere other than in the password database makes hashed passwords nearly impossible to crack. The security folks at LivingSocial did salt their passwords, which makes any attack against the hashed passwords much harder. If a site has salted and hashed their passwords a hacker must create a big dictionary hash list separately for every single user. That takes a really long time making the hack millions of times more complex if the site has millions of accounts. Salting and hashing protects all of your passwords from getting cracked easily but single accounts are still susceptible.
Collect a phone number for important communication
Email is a good method of communication, but SMS is more appropriate for urgent matter such as, “Holy Heck, we were hacked, change your password!” Email communication comes with its own set of challenges because it can also be compromised. Additionally, many users leverage the same credential across all their accounts. That’s why it’s imperative to capture and verify your users’ phone number when new users register for the account. Not only does this help ensure users are who they say they are, but it can serve as an effective deterrent for keeping out fraudsters and spammers. Attaching a verifiable phone number to an account enables other downstream benefits like streamlining password resets and enabling secure communication to your user base if there is ever a system-wide data breach.
Set-up two-step verification to prevent account compromise
If two-step verification were set-up, it wouldn’t matter if passwords were compromised, because the hacker would need to know the password and have physical possession of the authentication devices – in most cases the end users’ phones. For example, if all LivingSocial users had used two-factor authentication it wouldn’t matter if someone else knew the user’s password. The accounts wouldn’t have been able to be compromised unless the attacker had the password – something the user knows – and had the two-factor authentication device – something the user has such as a token or mobile phone.
Set-up risk-based authentication
In the battle between security and convenience, there are perils at both extremes: relying solely on passwords leaves users’ accounts vulnerable, while mandatory two-factor authentication for every login or transaction brings cost, complexity and inconvenience. Risk-based authentication strikes a balance between the two, by selecting the appropriate authentication requirements for each session based on specific triggers that detect suspicious or unusual activity.
During sign-in, users can establish the device as a trusted device. Subsequent login from that device doesn’t require secondary authentication. However, if the user logs in from a new device or engages in non-typical behavior or behavior that patterns fraudulent activity, a secondary authentication event will be triggered.
Communicate early and often
Companies that have been hacked need to quickly tell users that a breach occurred, how it occurred and what the user needs to do. Be transparent about what data was compromised and what you are doing to remediate any issues found. Be transparent about your security. If you have salted (or double-salted) your users’ credentials, say that. Explain what this means in terms of how difficult it is for the bad guys to actually access your passwords.
It’s a best practice to conduct a detailed post mortem. The way the Internet community gets better about security is by understanding what mistakes were made, embarrassing as they may be.
In this technology-driven business environment there is potential for enormous opportunities – as well as significant risks. Just as companies buy insurance to cover fire or flood loss related to their buildings, organizations have to insure their most valuable asset: their data. And the best ways to protect data is following some commonsense best practices and learn from the companies that have been put through the fires.
