PasswordsCon 2014

As you probably know, I am an avid student of modern cryptography techniques, specifically dealing with how they can be applied to providing secure logins over the Internet. After coming across the videos posted from this year’s PasswordsCon I felt obligated to take notes, as this is a field that is constantly changing, and where failure to implement even the most basic of recommendations may cost businesses millions in damages when their systems are compromised. Some of what I watched reinforced what I was already writing about, while some of it was new to me.

I found this list was difficult to categorize, so I’m presenting them in no particular order.

  • Use one-way algorithms specifically designed for passwords
  • Don’t allow users to reuse a password...keep track of old hashes
  • Always encrypt your transmission. Use the latest TLS version when possible.
  • Consider profiling users based on IP address, location, speed of clicking, # page views, etc. When a threshold of those are different than the previous user’s profile, start to alert the user when they log in again.
  • Alert the user when they log in that their password was changed x days ago when a user attempts to use an old password to log in.
  • Alert users when their passwords are about to expire
  • Use secure forms of 2-factor authentication for recovering accounts
  • Throttle login attempts after x failed logins.
  • Don’t send emails for password reset links unless you have no other choice because:
    • they may take several hours to reach the user
    • they may go into their spam folders, or
    • their email accounts may be compromised.
  • Password reset links, pin keys, etc must expire soon after issuing as well as once they are used.
  • Send the user an alert when the password changes
  • Consider locking account from user-initiated changes for x days after users change a password
  • Use different password policies depending on level of security within your system
  • Consider auditing your own passwords to determine weak areas of your own password policies
  • Get better hardware for your servers to improve your hash strength. Many companies that had a large number of their users’ passwords cracked and subsequently exposed by hackers used faster hashing methods to prevent their servers from slowing down, which left their passwords more vulnerable to cracking methods.
  • Enterprises should consider mandating that all employees use a password manager as a way to generate and track cryptographically strong passwords.
  • Companies should hire penetration testers to check the overall security of their systems and point out flaws to their developers before a real world hack happens.

How many of these points have already been implemented by your company? I understand that without a product, the company won’t make money, but without security, your business as well as the financial institutions you do business with may have to pay legal and restitution fees along with living with a permanent mark on your company’s history.