This week’s article, which is part of our new weekly series, “Cyber Insurance Compliance Insights from FTC Investigations” will reflect on why it is important for companies to require secure passwords and authentication.
Our weekly blog series is a spinoff of the new “Stick with Security: Insights into FTC Investigations”. This new weekly blog article series provides a recap of the FTC’s new weekly blog insights on data security and how these measures can help companies demonstrate cyber insurance compliance. For companies looking to obtain cyber insurance, it is essential to be able to effectively demonstrate that they have implemented baseline security measures.
Insist on Long, Complex and Unique Passwords
According to the FTC, a password’s very reason for being is to be easy for a user to remember, but hard for a fraudster to figure out. Obvious choices like ABCABC, 121212, or qwerty are the digital equivalent of a “hack me” sign.
Based on recent data, experts have determined that passphrases or longer passwords are generally harder to crack. Interestingly enough, NIST has recently updated their views on passwords, a.k.a a Memorized Secret authenticator — commonly referred to as a password or, if numeric, a PIN — is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know.
NIST advises that memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. NIST also advises against storing password hints, that may be accessible to an unauthenticated claimant. For example, password verifiers should not prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets. Also be sure, when you install software, applications, or hardware on your network, computers, or devices, that you change the default password immediately. I’ve had a client who experienced a data breach due to a default password that was never changed in their software installation on their client’s site. It is also a good best practice, to educate your employees on password hygiene, and your company’s password management policy.
Store Passwords Securely
While it should go without saying, there’s no point of having a password, if it’s on a post-it note hanging above your screen. A company’s first line of defense against data thieves is a workforce trained to keep passwords secret. The FTC advises companies to train staff not to disclose passwords in response to phone calls or emails, including ones that may appear to be coming from a colleague.
Nonetheless, these types of incidents occur daily, and can be avoided with best practices in place. In addition, the FTC advises companies to make it difficult for data thieves to turn a lucky password guess into a catastrophic breach of your company’s most sensitive data by implementing policies and procedures to store credentials securely.
As it relates to cyber insurance, there are certainly questions that will be asked on the types of policies and procedures your company has implemented to ensure your company’s most sensitive data is secured. NIST goes one step further in advising that password verifiers should store passwords in a form that is resistant to offline attacks. It states that passwords be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash, further helping to store passwords securely.
Guard Against Brute Force Attacks
In brute force attacks, hackers use automated programs to systematically guess possible passwords. A good best practice is to limit the number of logins in the event of a forgotten password login attempt, which in turn also reduces the chances of a brute force password login attack.
FTC Provided Example: A company sets up its system to lock a user out after a certain number of incorrect login attempts. That policy accommodates the employee who mistypes her password on the first try, but types it correctly on the second, while guarding against malicious brute force attacks.
Protect Sensitive Accounts with More than Just a Password
Passwords by themselves today are not enough, as hackers will and have been able to bypass password protected accounts and networks. Today, consumers and employees often reuse usernames and passwords across different online accounts, making those credentials extremely valuable to remote attackers. The FTC advises that companies should combine multiple authentication techniques for accounts with access to sensitive data.
Protect Against Authentication Bypass
This type of attack enables an unauthorized party to bypass the password login process, and go directly to the password-protected network or web application. To prevent this type of bypass attack it is essential that checks are made that the user has been authenticated on every single page, rather than assuming that if a user has reached a given page they must have been previously authenticated.
Please be sure to check back next week for more Cyber Insurance Compliance Insights from FTC Investigations.