In-depth

Protecting passwords is not just down to users

Inside the Enterprise: EU security agency ENISA argues that service providers need to do more to protect our privacy.

Password

A recent report by financial data company Experian suggested that too many internet users do too little to secure their account passwords.

No doubt this is true. But the blame for poor online security does not just lie with end users, according to ENISA, the EU's IT security agency. The agency argues that although users might pick easy-to-break passwords, service providers need to do more to protect their authentication systems.

Service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach.

As ENISA points out, this year alone has seen millions of passwords stolen from organisations ranging from LinkedIn, to Nvidia and EHarmony. This, in turn, has led to the theft of personal information, but also to people's stolen details being used to unlock other accounts too many of us reuse passwords across different services and even to attack other websites.

This has prompted ENISA to offer guidance to service providers on how to improve their password and authentication security.

The first step is to ensure all passwords are encrypted: this might sound obvious, but apparently not all service providers do this. Then, providers need to look in more detail at the cryptography they use.

Freely available password dictionaries, along with the fact that so many users use easy to guess passwords 123456 anyone? are making it too easy for hackers to work out some of the older cryptographic hashes, and unscramble all the passwords. But service providers also need to bolster their data leak prevention, to stop cyber criminals stealing the master password data in the first place.

Providers also often lack sufficiently strong password policies, including renewal frequencies, complexity and minimum length. Systems that need a higher degree of security should be equipped with two-factor authentication, for additional protection.

ENISA also argues that all service providers should notify users in the event of a data breach; currently, only telecoms providers have to do this under EU law. This will help users to protect themselves, and build up a better picture of breaches for the security agencies.

And service providers also need to help users understand the importance of setting strong passwords, and changing them if they are stolen or there is a security breach. Users could, for example, use password management software to help.

But, as the agency points out, this is of little use if companies themselves fail to realise that passwords are a valuable commodity, and treat them as such. Organisations that allow users to create accounts that hold personal data do, after all, have a special responsibility to ensure that that information is protected at both ends of the system.

Stephen Pritchard is a contributing editor at IT Pro

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020