Information Security … A Guide For Business #3 Require Secure Passwords and Authentication

Ten practical lessons businesses can learn from the FTC’s (business.ftc.gov) 50+ data security settlements.  This is part #3.

#3 Require Secure Passwords and Authentication!

If you have personal information stored on your network, strong authentication procedures – including sensible password “hygiene” – can help ensure that only authorized individuals can access the data. When developing your company’s policies, here are tips to take from FTC cases.

Insist on complex and unique passwords.

“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s why it’s wise to give some thought to the password standards you implement. In the Twitter case, for example, the company let employees use common dictionary words as administrative passwords, as well as passwords they were already using for other accounts. According to the FTC, those lax practices left Twitter’s system vulnerable to hackers who used password-guessing tools, or tried passwords stolen from other services in the hope that Twitter employees used the same password to access the company’s system. Twitter could have limited those risks by implementing a more secure password system – for example, by requiring employees to choose complex passwords and training them not to use the same or similar passwords for both business and personal accounts.

Store passwords securely.

Don’t make it easy for interlopers to access passwords. In Guidance Software, the FTC alleged that the company stored network user credentials in clear, readable text that helped a hacker access customer credit card information on the network. Similarly, in Reed Elsevier, the FTC charged that the business allowed customers to store user credentials in a vulnerable format in cookies on their computers. In Twitter, too, the FTC said the company failed to establish policies that prohibited employees from storing administrative passwords in plain text in personal email accounts. In each of those cases, the risks could have been reduced if the companies had policies and procedures in place to store credentials securely. Businesses also may want to consider other protections – two-factor authentication, for example – that can help protect against password compromises.

Guard against brute force attacks.

Remember that adage about an infinite number of monkeys at an infinite number of typewriters? Hackers use automated programs that perform a similar function. These brute force attacks work by typing endless combinations of characters until hackers luck into someone’s password. In the Lookout ServicesTwitter, and Reed Elsevier cases, the FTC alleged that the businesses didn’t suspend or disable user credentials after a certain number of unsuccessful login attempts. By not adequately restricting the number of tries, the companies placed their networks at risk. Implementing a policy to suspend or disable accounts after repeated login attempts would have helped to eliminate that risk.

Protect against authentication bypass.

Locking the front door doesn’t offer much protection if the back door is left open. In Lookout Services, the FTC charged that the company failed to adequately test its web application for widely-known security flaws, including one called “predictable resource location.” As a result, a hacker could easily predict patterns and manipulate URLs to bypass the web app’s authentication screen and gain unauthorized access to the company’s databases. The company could have improved the security of its authentication mechanism by testing for common vulnerabilities.