On August 11, 2017, the FTC released its third “Stick with Security” principle, which touched on the necessity of strong authentication practices. Secure passwords and fortified authentication practices make it that much harder for hackers to “bluff” their way into a company’s computer network. The FTC gives five tips on how businesses can safeguard their networks:
Insist on Long, Complex, and Unique Passwords
It may seem obvious, but passphrases or longer passwords are generally harder to crack. Companies should think through their standards, implement minimum requirements, and educate personnel on how to create strong passwords. When installing software, applications, or hardware on a network, computers, or devices, change the default password immediately. If companies require customers to use a password to access their products, ensure that customers are prompted to change the default password.
Store Passwords Securely
A strong password is only effective if personnel keep it private, and a compromised password is especially dangerous when it serves as the gateway to even more sensitive information. The FTC recommends that companies train staff not to disclose passwords in response to phone calls or e-mails, particularly if those calls or e-mails appear to come from “colleagues.” Additionally, companies should store user credentials and passwords in secure forms (an unencrypted Word document with all of this information stored in one place on a network would be an example of what not to do!).
Guard Against Brute Force Attacks
A brute force attack is when hackers use automated programs to systematically guess possible passwords. To guard against this, companies can set-up a system that suspends or disables user credentials after a predetermined number of unsuccessful login attempts.
Protect Sensitive Accounts with More than Just a Password
Even if companies implement the first three tips, risk may still exist. Consumers and employees alike tend to reuse usernames and passwords for different accounts; those credentials become valuable to remote attackers when sold on the dark web and used to perpetrate “credential stuffing attacks” – when hackers automatically, and on a large scale, input stolen information into various internet sites to see if any of them work. To combat credential stuffing attacks, companies should combine multiple authentication techniques before access is granted, such as: authentication apps that require a customer to input a verification code, two-factor authentication where a code is generated by text or voice call, or requiring employees to log-in to a virtual private network when working remotely.
Protect Against Authentication Bypass
Simply put, motivated hackers will stop at nothing. Companies must recognize that any (virtual) point of entry is one that can be used to gain access to a data network or confidential information. For example, a company’s website should require a customer to input a username and password to make a portal available that stores personal information. If a hacker has the customer’s URL to that particular portal, knowledge of the username and password is not necessary. Companies should implement policies that require a customer’s log in credentials to be entered again in such situations.