Will Tech Industry Ever Fix Passwords?

What LinkedIn and other recent breaches tell us about widespread security risks as we embrace social media and cloud applications in the enterprise.

1 2 Page 2
Page 2 of 2

5 Things Consumers Should Do to Strengthen Passwords

  1. Never share passwords with anyone, not even your spouse. Even if you trust the person completely, do you trust that they'll never be lured by a spear phishing attack that may have you as the actual target?
  2. Don't reuse passwords, and rely only on strong passwords, meaning long passwords with numbers, capital letters and special characters. You can either develop mnemonic tricks to remember these, or use password management tools like 1Password or LastPass.
  3. Turn on enhanced authentication and security when it's available. For instance, Facebook, Google and others offer enhanced security features, such as SMS notifications if an unknown device attempts to access your account.
  4. Use tools you already have, such as time-outs and screen locks on mobile phones.
  5. Pay attention to your social interactions. Be careful not to broadcast your date of birth, anniversary, name of your high school or other identifying factors that could allow hackers to pass through challenge questions.

5 Things Businesses Should Do to Strengthen Authentication

  1. Have strong protections in place for any user credentials. At a minimum, passwords should be hashed (converted from plain text) and the databases encrypted. Better still, "salt" passwords by adding random strings before storing them.
  2. Require that users create strong, long passwords.
  3. Offer enhanced account protections, such as SMS warnings when a user's account is accessed from a suspect IP address or unknown device.
  4. Embrace multifactor authentication. If it is not a compulsory mechanism, at least start rolling it out in stages, starting with your most sensitive applications and highest-risk end users.
  5. Conduct regular audits and security reviews.

10 Steps to Clean up after a Breach

The steps below come from a senior executive at a Fortune 100 financial institution, who prefers to remain anonymous. CIO.com asked him what he would do if he were asked to clean up after a LinkedIn-scale breach.

Keep in mind that the financial industry has many more regulations in place than most sectors, but his advice applies broadly.

  1. Realize that it's important to understand the breach in detail. The goal is to figure out exactly why it happened and how to prevent it, not to assign blame.
  2. Interview all stakeholders (network, security, system and business) to understand the root causes better.
  3. Fix the problem, obviously, but move beyond tactical decisions to form a strategic security plan for the future.
  4. Communicate the situation clearly to end users. Then, develop a plan for ongoing training.
  5. Embrace stronger credential storage and encryption practices, including migration to SHA-512 with salting.
  6. Migrate to multi-factor authentication for B2B applications and internal users.
  7. For consumer-facing applications and guests or partners, consider offering enhanced account protections, such as notifying consumers if their account has been accessed from an unusual IP address or an unknown device.
  8. Review and build better network zoning, including upgraded firewalls, IPSs, routers, etc.
  9. Enhance the software development lifecycle. This includes practices like periodic internal and external audits and security reviews, as well as ongoing monitoring and detection of unusual patterns.
  10. Share your experiences and help standards bodies develop standards for authentication, identity enforcement, digital signatures and so on.

Jeff Vance is a Los Angeles-based freelance writer who focuses on next-generation technology trends. Follow him on Twitter @ JWVance.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Survey says! Share your insights in our 19th annual State of the CIO study