Require Secure Passwords and Authentication
By: Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection | Aug 11, 2017
We’ve considered FTC settlements, closed investigations, and the questions we get from businesses about implementing good authentication “hygiene.” Here are some tips on using effective authentication procedures to help safeguard your network.
INSIST ON LONG, COMPLEX, AND UNIQUE PASSWORDS.
A password’s very reason for being is to be easy for a user to remember, but hard for a fraudster to figure out. Obvious choices like ABCABC, 121212, or qwerty are the digital equivalent of a “hack me” sign. Furthermore, experts have determined that passphrases or longer passwords are generally harder to crack. The smarter strategy is for companies to think through their standards, implement minimum requirements, and educate users about how to create stronger passwords. Also, when you install software, applications, or hardware on your network, computers, or devices, change the default password immediately. And if you design products that require consumers to use a password, configure the initial set-up so they have to change the default password.
Example: A staff member attempts to select payroll as the password for the database that includes employee payroll information. The company sets up its system to reject an obvious choice like that.
Example: To access the corporate network, a business allows employees to type in their username and a shared password common to everyone who works there. Employees are also allowed to use that shared password to access other services on the system, some of which contain sensitive personal information. The more prudent policy would be to require strong, unique passwords for each employee and to insist that they use different passwords to access different applications.
Example: At a staff meeting, a company’s IT manager offers tips for employees about good password hygiene. She explains that passphrases or longer passwords are better than short passwords based on standard dictionary words or well-known information (for example, a child’s name, a pet, a birthday, or a favorite sports team). By establishing a more secure corporate password standard and educating employees about implementing it, the IT manager is taking a step to help her company reduce the risk of unauthorized access.
STORE PASSWORDS SECURELY.
A company’s first line of defense against data thieves is a workforce trained to keep passwords secret. But even the strongest password is ineffective if an employee writes it on a sticky note on her desk or shares it with someone else. Train your staff not to disclose passwords in response to phone calls or emails, including ones that may appear to be coming from a colleague. Con artists have been known to impersonate corporate officials by spoofing phone numbers or email addresses.
A compromised password poses a particular risk if it can be used to open the door to even more sensitive information – for example, a database of other user credentials maintained on the network in plain, readable text. Make it difficult for data thieves to turn a lucky password guess into a catastrophic breach of your company’s most sensitive data by implementing policies and procedures to store credentials securely.
Example: A new employee gets a call from someone who claims to be the company’s system administrator. The caller asks him to verify his network password. Because the new staffer learned about impersonation scams at an in-house security orientation, he refuses to disclose his password and instead reports the incident to the appropriate person in the company.
Example: A company keeps user credentials and other passwords in plain text in a word processing file on its network. If hackers were to gain access to the file, they would be able to use those credentials to open other sensitive files on the network, including a password-protected database of customers’ financial information. In the event of a breach, the company could potentially reduce the impact of the breach by maintaining information about credentials in a more secure form.
GUARD AGAINST BRUTE FORCE ATTACKS.
In brute force attacks, hackers use automated programs to systematically guess possible passwords. (In a simple example, they try aaaa1, aaaa2, aaaa3, etc., until they strike pay dirt.) One defense against a brute force attack is a system set up to suspend or disable user credentials after a certain number of unsuccessful login attempts.
Example: A company sets up its system to lock a user out after a certain number of incorrect login attempts. That policy accommodates the employee who mistypes her password on the first try, but types it correctly on the second, while guarding against malicious brute force attacks.
PROTECT SENSITIVE ACCOUNTS WITH MORE THAN JUST A PASSWORD.
You’ve required strong, unique passwords, stored them securely, and logged people out after a number of unsuccessful log-in attempts. But to protect against unauthorized access to sensitive information, that may not be enough. Consumers and employees often reuse usernames and passwords across different online accounts, making those credentials extremely valuable to remote attackers. Credentials are sold on the dark web and used to perpetrate credential stuffing attacks – a kind of attack in which hackers automatically, and on a large scale, input stolen usernames and passwords into popular internet sites to determine if any of them work. Some attackers time their log-in attempts to get around restrictions on unsuccessful log-ins. To combat credential stuffing attacks and other online assaults, companies should combine multiple authentication techniques for accounts with access to sensitive data.
Example: A mortgage company requires that customers use strong passwords to access their accounts online. But given the highly sensitive nature of the information in its possession, it decides to implement an additional layer of security. The company uses a secret verification code generated by an authentication app on the customer’s smartphone and requires the customer to enter that code and use their strong password for access. By implementing this additional protection, the mortgage company has bolstered security on its site.
Example: An online email service provider requires strong passwords. But it also offers consumers the option of implementing two-factor authentication through a variety of means. For example, the email provider can generate a code by text or voice call. It also allows users to insert a security key into a USB port. By offering two-factor authentication, the email service provider presents users with an additional layer of security.
Example: A debt collection company allows its collectors to work from home. To access the company’s network, which contains spreadsheets of financial information about debtors, the company requires employees to log in to a virtual private network, protected by a strong password and a key fob that generates random numbers every six seconds. By securing remote access to its network with multi-factor authentication, the company has improved its authentication procedures.
PROTECT AGAINST AUTHENTICATION BYPASS.
Hackers are a persistent bunch. If they can’t get in through the main entrance, they’ll try other virtual doors and windows to see if another access point is ajar. For example, they may simply skip the login page and go directly to a network or web application that is supposed to be accessible only after a user has met the network’s other authentication procedures. The sensible solution is to guard against authentication bypass vulnerabilities and allow entry only through an authentication point that lets your company keep a close eye on who’s trying to get in.
Example: A weight loss clinic has a publicly available webpage describing its services. That page also features a login button that allows existing members to enter their username and password for access to a special “Members Only” portal. Once they’ve successfully logged on to the “Members Only” portal, members can navigate to other supposedly restricted pages, including a personalized “Track My Progress” page where they can input their weight, body fat, pulse, favorite running routes, etc. However, if a person knows the URL of a member’s “Track My Progress” page, the person can skip the login page and simply type the URL in the address bar. That allows the person to view the information on the member’s page without having to enter a username or password. The more secure option is for the weight loss clinic to ensure that people must enter login credentials before accessing any portion of the “Members Only” portal.
The message for businesses: Think through your authentication procedures to help safeguard sensitive information on your network.