There is nothing new in the European Network and Information Security Agency’s advice. For the user it includes not re-using the same password in multiple accounts; regularly changing online passwords and immediately changing a compromised password; using strong, complex passwords with the help of a password manager; and taking advantage of two-factor authentication wherever it is offered.
For the provider, advice is that passwords should never be stored in plaintext, but always hashed and salted. Strong passwords should be required and enforced. Two-factor authentication, perhaps via a mobile phone, should be offered wherever greater security is required. CAPTCHA mechanisms should be used to prevent automated attacks.
Further preventative advice is offered to providers. This includes “implementing a proper SDLC (Software Development Life Cycle), taking special care of validation methods for inputs, parameters and variables.” And a ‘breach notification’ policy should be implemented.
The problem, however, is that these basic measure are simply not being used. Users do not use strong passwords. When the RedHack group broke into the Ankara Police Department in Turkey earlier this year, it discovered that one of the passwords of the ‘secret police’ was 123456.
And the providers are no better. Tesco is currently being much criticized. It started a couple of months ago when security researcher Robin Wood signed up for an online account. But he “found that they were storing their passwords without hashing them – they either encrypted or just left them in clear text as they were able to email me my password back when I couldn't log in.” The reason he couldn’t login was because the password he entered, a strong password generated by a password manager, was too strong for the system and had been truncated.
This problem has since been verified by other security professionals. Troy Hunt yesterday published a detailed blog starting from similar circumstances and coming to the same conclusion. Tesco responded on Twitter, "Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers."
But, “Too many large companies are using bad password policies and are then ignoring the security community when they bring these issues to their attention,” Robin Wood told Infosecurity. “The standard lines are ‘we follow industry best practice’ and ‘we can't discuss our policy as it would weaken our position’.”
The first is wrong, he continued, “as most are being called out because they are not following the best practice and the second is wrong as a good security posture can be open and discussed without weakening it – for example, if they announced they were using Bcrypt with a long random salt then they would not lose any security but would gain respect and trust from users.”
Perhaps, then, that suggestion should be added to ENISA’s advice to providers: be explicit about how you store your customer credentials.
03 August 2012
Whilst two, or even three, factor authentication is appropriate for anything involving financial accounts, valuable or sensitive information, it is overkill for some sites like this one where it is "only" a user's virtual identity that could be compromised. Password generators are also typically not appropriate where users have a mix of equipment - for example I'm posting this after the end of the working day from a locked-down work machine, but may read follow-up comments on my iPad or on my home PC.
It shouldn't be all up to the user to maintain the security of their passwords (I can't be the only one who re-used passwords on multiple sites due to sheer numbers and limited memory capacity - I've now started using a simple hash and salt to them following the Linked In breach, (something that involved changing over 50 passwords on counting). Hopefully any UK issues, such as those at Tesco's (fortunately one site I don't use), will be increasingly raised with the information commissioner.
31 July 2012
All of these hacks this year should serve as a wake-up call to users about a complacent attitude to authentication and passwords. However it has not and there still remains a need for more preventative measures put in place. For example many of the leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your site(s) are secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.