Protecting passwords is not just down to users

Inside the Enterprise: EU security agency ENISA argues that service providers need to do more to protect our privacy.

A recent report by financial data company Experian suggested that too many internet users do too little to secure their account passwords.

No doubt this is true. But the blame for poor online security does not just lie with end users, according to ENISA, the EU's IT security agency. The agency argues that although users might pick easy-to-break passwords, service providers need to do more to protect their authentication systems.

Service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach.

As ENISA points out, this year alone has seen millions of passwords stolen from organisations ranging from LinkedIn, to Nvidia and EHarmony. This, in turn, has led to the theft of personal information, but also to people's stolen details being used to unlock other accounts – too many of us reuse passwords across different services – and even to attack other websites.

This has prompted ENISA to offer guidance to service providers on how to improve their password and authentication security.

The first step is to ensure all passwords are encrypted: this might sound obvious, but apparently not all service providers do this. Then, providers need to look in more detail at the cryptography they use.

Freely available password dictionaries, along with the fact that so many users use easy to guess passwords – 123456 anyone? – are making it too easy for hackers to work out some of the older cryptographic hashes, and unscramble all the passwords. But service providers also need to bolster their data leak prevention, to stop cyber criminals stealing the master password data in the first place.

Providers also often lack sufficiently strong password policies, including renewal frequencies, complexity and minimum length. Systems that need a higher degree of security should be equipped with two-factor authentication, for additional protection.

ENISA also argues that all service providers should notify users in the event of a data breach; currently, only telecoms providers have to do this under EU law. This will help users to protect themselves, and build up a better picture of breaches for the security agencies.

And service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach. Users could, for example, use password management software to help.

But, as the agency points out, this is of little use if companies themselves fail to realise that passwords are a valuable commodity, and treat them as such. Organisations that allow users to create accounts that hold personal data do, after all, have a special responsibility to ensure that that information is protected at both ends of the system.

Stephen Pritchard is a contributing editor at IT Pro