The Associated Press published an article on 12/05/13, “More than 2 Million Facebook, Google and other accounts compromised.” In this article the author offers computer users the same old password security tips:
- Don’t use the same password everywhere.
- Use stronger passwords.
- Make the 8+ characters long
- Mix in letters, numbers and special characters
- Avoid dictionary words
- Avoid easy to guess words
- Come up with complex answers to security questions using special characters and numbers
- Multi levels of authentication.
- Regular password changes.
While these tips are still valid, the crux of the article is that you, the user, are responsible for keeping your accounts safe. However, it does nothing to help users manage all these tips, nor does it offer business owners any tips to better safeguard their stored data.
While individuals have some responsibility, these breaches are bringing to light that many online companies, internet providers and such aren’t implementing good security industry practices. Now with the many government laws mandating data privacy protection, the onus is on businesses of all sizes to start getting their act together or face media headlines, huge fines and potential imprisonment.
Because no tips were given to help business owners I will submit my five tips.
1. Salt the Password database. This is a two-step process. First, passwords must never be stored in clear text, but rather use a mathematical algorithm (called a hash) to create a numerical valuation of the password.
Next, the hash seed used to calculate the password valuation needs to be unique for each and every entry. That’s the salt. So if “Password” equals 15c626b06ae6624f47404d0728 on time, the next entry might have the valuation “a356cf160fb45924edc23aa5f4”.
This simple step makes the brute force attack on the password nearly impossible. Maybe one data point with have the matching valuation, but there is no way to know which word it matches since a different seeds may create the same valuation for a different word.
2. Use true multifactor authentication. Dual authentication is not the same security as multifactor authentication. Authentication is made up of three factors:
- Possession (something you have)
- Knowledge (something you know)
- Inherence (something you are)
True multifactor authentication is the mixture of any two or all three factors like a card with a password, a password with fingerprint, a voice with a card or voice+card+PIN.
Entering a password and then a code from your phone is dual, single factor authentication: Something you know and something new you know. What would make this scenario multifactor authentication is if the user types in the display code into the account and then the account reads a unique code internal to the phone.
Certainly dual authentication is better than single, but if you want to be complicate to the different government privacy laws, then you need multifactor authentication.
3. Salt the Hash with something you have. The importance of salting was discussed in the first tip. But using the correct seed can be challenging. If the seeds are computer generated then it only takes the cracking of the algorithm to crash everything as was the case with RSA’s SecurID OTP tokens. But using a unique identifier inside a cell phone, smartcard or access control card then you truly have something that is more secure since the thieve has to have the device.
It should be clear that combining TIPS 1,2 and 3 you really start beefing up the security.
4. Convenience, convenience, convenience. For security to be effective it has to also be convenient for the user. Stats have shown that users will always circumvent security for their own convenience. So making employees have to remember passwords, assigning complex ones and changing passwords regularly only forces employees to write them down, come up with one generic password, and using the same password other places is all done for the convenience of the user.
Plus, when implementing multifactor authentication all the factors have to be secure and strong. If one leg of the stool is weak then the whole stool is weak.
5. Take password management out of the hands of the employee. If employees no longer have to generate passwords then they also don’t have to remember, type or even know the passwords. There are a number of attacks to grab passwords like key loggers, phishing, spam, pharming, etc. Using a secure, multifactor password manager where IT is back in control of security greatly reduces the risk of a data breach.
But why stop at five? Here are five more as a Holiday gift.
6. BONUS TIP 1: Combine multiple applications onto the same credential. The fewer items an employee has to manage the better it is for them and for the company. Since most employees have an ID badge it’s time to make it do more. Adding in physical access into a building has been done for decades, but now we can use that same badge for computer network access, payments, time and attendance, and more. With the newer smartcard technologies these applications can be added without having to rebadge.
With one card, the employee has only one thing to remember, carry and use. They are less likely to leave it at home or unattended in their office. Plus, with a single card the company’s management costs drop. HR has only one card to issue and recall, IT have fewer times of replacing forgotten or lost IDs, and the pure cost of replacement inventory is also reduced.
7. BONUS Tip 2: Allow the employee to store personal accounts on their credential. It all the company’s keys to the kingdom are on one credential then you want to be sure that employees don’t lose it or mishandle it. But if the employee also has their personal bank account passwords or electronic cash on the card, then they will want to protect their information from being stolen which in turn protects the company’s information.
The last three Bonus Tips should be self-explanatory.
8. BONUS Tip 3: Salt the user name also
9. BONUS Tip 4: Don’t make the user name an email address
10. BONUS Tip 5: Don’t use a social media account logon to access your accounts
There are many other security practices that companies can follow to keep data security and protect the privacy of their customers and employees. There are no silver bullets that will 100% safeguard a company from a breach. The best one can do is put in enough barriers to make getting the information difficult and then once it has been stolen make it unusable to the thief.
While passwords are often criticized in the media as being a weak link, there has to also be safeguards to protect against physical attacks, social engineering attacks, carelessness and corrupt employee attacks. If any of these tips are confusing or you have worries of other potential vulnerabilities, then you need to bring in a Security Analyst to do a risk assessment on your environments.
About Access Smart
Founded in 2005 and headquartered in Ladera Ranch, California, Access Smart, LLC is a one-stop-shop offering a wide range of logical access products (software, licenses, cards and readers) to make network authentication deployment fast, easy and inexpensive. We are dedicated to empowering businesses, agencies and institutions to securely regain control over their computers and networks at the point of entry. Authentication, authorization and non-repudiation do not have to be cumbersome to be effective. That’s why our products are designed using state-of-the-art security technologies while focusing on ease-of-use and low-cost-of-ownership.
Previously, smartcard technology was only affordable to large government agencies and Fortune 500 companies. Access Smart has turned that model upside down by utilizing existing infrastructures and matching the technology to the needs. For example: you can use existing badge technologies, you have no backend server modifications, there are no annual subscription fees, and all your licenses are transferable.
Please contact Access Smart for a no obligation consultation on how best to implement Authentication, Authorization and Non-Repudiation into your business. Access Smart – The Alternative to PKI.
