The holidays are the time for giving while relaxing with family and friends. When everyone was preparing for their holiday on December 24th creatures were stirring while clicking a mouse. During the holiday a data breach of close to a million passwords lead to one embarrassed “intelligence” company and 200 gigabytes of personal information exposed. But how could this be? The year of the data breach is coming to an end and still companies do not have a secure password policy. Furthermore an out-of-band one-time password is fairly easy and inexpensive to implement while offering obvious security benefits.
Becoming more common recently, data breaches like this are all over the media. Companies are learning the hard way that they cannot skimp on security at any point in the chain. After all you are only as strong as your weakest link and the recent Stratfor data breach is a prime example. Although Stratfor had a password policy in place, findings from The Tech Herald said the policies were lacking enforcement.
In this situation the password policy only required a six character long password which contained a numerical digit. Upon cracking over 80 thousand passwords through simple means, The Tech Herald found many passwords which were not even six characters in length. Furthermore users were using commonly used terms, dates and personal references to create passwords.
Strong Password Creation
Strong passwords consist of case sensitive letters, numbers and symbols. By utilizing all types of characters it creates many more combinations to have to search through while cracking a password. Users should not use full words or terms while creating login credentials either. This allows for lists of common words to be loaded into a cracking program like the one used in the Stratfor data breach. Beyond creating a secure credential, users should change their password regularly to prevent it from being compromised.
Obviously support for stronger security must be present along with some sort of software based enforcement. However, infrastructure for this type of password security can be expensive to implement and can create an unpleasant user experience. After all who can remember a password like “B#13iL@9e”?
Protecting users from themselves is not easy but a one-time password offers the ability for them to be fairly careless. Some ways of transmitting an OTP are not as secure as others though. In some cases an OTP will be delivered to the user through email which may also have been compromised. A very common problem is that people use the same password across all platforms, which means attackers may have access to the users email as well.
Out-of-Band One-Time Password
One of the easiest solutions for a more secure authentication process is an out-of-band one time password. The OTP allows users to be authenticated through their mobile phone and provides an added layer of protection from infected computers. Users benefit from the added protection gaining the ability to use simple login credentials.
With an OTP in place the weak Stratfor passwords would not have been an issue since the attackers would need to authenticate themselves before accessing the confidential data. Even if they were able to obtain the user’s login credentials and phone number they would not have access to “something you have”, which is your mobile phone. If the attackers had login credentials and an email address, without an out-of-band solution a savvy attacker may be able to gain access.
If your vision of authentication security is not all sugarplums dancing in your head you may not have had your holiday cut short by a data breach.