Yet another hack – passwords (and storing them) fail again

Last updated: 21 March 2014

After the LinkedIn debacle, it’s depressing but not entirely surprising to see yet further reports of large-scale hacks, this time of Yahoo! losing 400,000 usernames and passwords to anonymous hackers.

It seems amazing to us, working as we do in the security industry, that the passwords were stored in plaintext with absolutely no form of encryption. This is a huge mistake and should never be the case in a modern enterprise… especially one that operates entirely online.

We provide considerable guidance on the internal controls an organization should follow if it wants to have the security it needs to conduct its business. If a company wants to provide even stronger security, they should offer their customer the ability to move away from static passwords which are notoriously unsecure, especially if they remain unchanged.

It would be best for companies like Yahoo! to follow the model of business like Amazon’s Web Services, which gives users the ability to safeguard themselves and their data through strong authentication. It is impossible to hack a password when you are using a one-time password or other advanced authentication options, which are widely available in the market today.

Companies of all sizes need to work to align to best practices for securing the network and the data stored within the network. Better data encryption and verified access rights would add another layer of protection here.

A best practice layered security approach involves three key areas:

1.     Strong identity control – one of the first areas of cyber defense is to ensure you know exactly who is accessing specific resources on the network. This would mean implementing security controls which strengthen online identity including additional factors of identification. Commonly referred to as strong authentication, this access control requires users to use something they have (a smart identity card or USB device), something they know (passphrase or PIN), and if available something they are (biometric detail like a fingerprint).

2.     Network based access control – Working off defined roles, these tools segment the network to ensure only authorized personal are allowed access to appropriate areas of the network. All others get blocked. This is also an area where step-up authentication could be used. This is where a person enters through a low security area of the network, but when the user tries to access a more secure area they are prompted for additional authentication attributes (a second identity factor could be used, for example)

3.     Data Encryption for stored information – All data stored on a network server should be encrypted to ensure that even if the data is accessed it is unusable.

It is critical to have a 360 view on your data protection as this case clearly shows – particularly on the latter point. Only then can we start to avoid hacks and security breaches affecting the everyday user.