In-depth

Protecting passwords is not just down to users

Inside the Enterprise: EU security agency ENISA argues that service providers need to do more to protect our privacy.

Password

A recent report by financial data company Experian suggested that too many internet users do too little to secure their account passwords.

No doubt this is true. But the blame for poor online security does not just lie with end users, according to ENISA, the EU's IT security agency. The agency argues that although users might pick easy-to-break passwords, service providers need to do more to protect their authentication systems.

Service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach.

As ENISA points out, this year alone has seen millions of passwords stolen from organisations ranging from LinkedIn, to Nvidia and EHarmony. This, in turn, has led to the theft of personal information, but also to people's stolen details being used to unlock other accounts too many of us reuse passwords across different services and even to attack other websites.

This has prompted ENISA to offer guidance to service providers on how to improve their password and authentication security.

The first step is to ensure all passwords are encrypted: this might sound obvious, but apparently not all service providers do this. Then, providers need to look in more detail at the cryptography they use.

Freely available password dictionaries, along with the fact that so many users use easy to guess passwords 123456 anyone? are making it too easy for hackers to work out some of the older cryptographic hashes, and unscramble all the passwords. But service providers also need to bolster their data leak prevention, to stop cyber criminals stealing the master password data in the first place.

Providers also often lack sufficiently strong password policies, including renewal frequencies, complexity and minimum length. Systems that need a higher degree of security should be equipped with two-factor authentication, for additional protection.

ENISA also argues that all service providers should notify users in the event of a data breach; currently, only telecoms providers have to do this under EU law. This will help users to protect themselves, and build up a better picture of breaches for the security agencies.

And service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach. Users could, for example, use password management software to help.

But, as the agency points out, this is of little use if companies themselves fail to realise that passwords are a valuable commodity, and treat them as such. Organisations that allow users to create accounts that hold personal data do, after all, have a special responsibility to ensure that that information is protected at both ends of the system.

Stephen Pritchard is a contributing editor at IT Pro

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021