In-depth

Protecting passwords is not just down to users

Inside the Enterprise: EU security agency ENISA argues that service providers need to do more to protect our privacy.

Password

A recent report by financial data company Experian suggested that too many internet users do too little to secure their account passwords.

No doubt this is true. But the blame for poor online security does not just lie with end users, according to ENISA, the EU's IT security agency. The agency argues that although users might pick easy-to-break passwords, service providers need to do more to protect their authentication systems.

Service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach.

As ENISA points out, this year alone has seen millions of passwords stolen from organisations ranging from LinkedIn, to Nvidia and EHarmony. This, in turn, has led to the theft of personal information, but also to people's stolen details being used to unlock other accounts too many of us reuse passwords across different services and even to attack other websites.

Advertisement
Advertisement - Article continues below

This has prompted ENISA to offer guidance to service providers on how to improve their password and authentication security.

The first step is to ensure all passwords are encrypted: this might sound obvious, but apparently not all service providers do this. Then, providers need to look in more detail at the cryptography they use.

Freely available password dictionaries, along with the fact that so many users use easy to guess passwords 123456 anyone? are making it too easy for hackers to work out some of the older cryptographic hashes, and unscramble all the passwords. But service providers also need to bolster their data leak prevention, to stop cyber criminals stealing the master password data in the first place.

Providers also often lack sufficiently strong password policies, including renewal frequencies, complexity and minimum length. Systems that need a higher degree of security should be equipped with two-factor authentication, for additional protection.

ENISA also argues that all service providers should notify users in the event of a data breach; currently, only telecoms providers have to do this under EU law. This will help users to protect themselves, and build up a better picture of breaches for the security agencies.

And service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach. Users could, for example, use password management software to help.

But, as the agency points out, this is of little use if companies themselves fail to realise that passwords are a valuable commodity, and treat them as such. Organisations that allow users to create accounts that hold personal data do, after all, have a special responsibility to ensure that that information is protected at both ends of the system.

Stephen Pritchard is a contributing editor at IT Pro

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/33048/popular-password-managers-found-to-have-serious-flaws
Security

Popular password managers found to have serious flaws

21 Feb 2019

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354191/xerox-threatens-hostile-takeover-after-hp-rebuffs
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/business-strategy/it-infrastructure/354188/tsb-payment-delays-suggest-second-it-meltdown
IT infrastructure

TSB payment delays suggest second IT meltdown

22 Nov 2019
Visit/public-cloud/34850/salesforce-takes-aws-relationship-to-the-next-level
News

Salesforce takes AWS relationship to the next level

19 Nov 2019