In-depth

Protecting passwords is not just down to users

Inside the Enterprise: EU security agency ENISA argues that service providers need to do more to protect our privacy.

Password

A recent report by financial data company Experian suggested that too many internet users do too little to secure their account passwords.

No doubt this is true. But the blame for poor online security does not just lie with end users, according to ENISA, the EU's IT security agency. The agency argues that although users might pick easy-to-break passwords, service providers need to do more to protect their authentication systems.

Advertisement - Article continues below

Service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach.

As ENISA points out, this year alone has seen millions of passwords stolen from organisations ranging from LinkedIn, to Nvidia and EHarmony. This, in turn, has led to the theft of personal information, but also to people's stolen details being used to unlock other accounts too many of us reuse passwords across different services and even to attack other websites.

This has prompted ENISA to offer guidance to service providers on how to improve their password and authentication security.

The first step is to ensure all passwords are encrypted: this might sound obvious, but apparently not all service providers do this. Then, providers need to look in more detail at the cryptography they use.

Advertisement
Advertisement - Article continues below

Freely available password dictionaries, along with the fact that so many users use easy to guess passwords 123456 anyone? are making it too easy for hackers to work out some of the older cryptographic hashes, and unscramble all the passwords. But service providers also need to bolster their data leak prevention, to stop cyber criminals stealing the master password data in the first place.

Advertisement - Article continues below

Providers also often lack sufficiently strong password policies, including renewal frequencies, complexity and minimum length. Systems that need a higher degree of security should be equipped with two-factor authentication, for additional protection.

ENISA also argues that all service providers should notify users in the event of a data breach; currently, only telecoms providers have to do this under EU law. This will help users to protect themselves, and build up a better picture of breaches for the security agencies.

And service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach. Users could, for example, use password management software to help.

But, as the agency points out, this is of little use if companies themselves fail to realise that passwords are a valuable commodity, and treat them as such. Organisations that allow users to create accounts that hold personal data do, after all, have a special responsibility to ensure that that information is protected at both ends of the system.

Stephen Pritchard is a contributing editor at IT Pro

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020
Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020