Keeping Passwords Out of the Hands of Hackers
Could your business be the next one hit by hackers hungry for passwords?
After non-stop news of hacker break-ins at LinkedIn, eHarmony and other online sites resulting in millions of leaked passwords, you may be wondering if your business is any better prepared or protected. It's a good question, given the risks. Stolen passwords that give intruders access to your systems can lead to costly scams and fraud, wreck your company's reputation, prompt customer defections and spawn significant cleanup costs.
Few companies store passwords properly, even though doing so usually isn't difficult, security experts say. Most Web developers are not schooled in current best practices and fail to implement sufficiently strong security technologies. Often, they neglect security or plan to add it later, says Aleksandr Yampolskiy, chief technology officer at New York-based Cinchcast, a webcasting startup, and former head of security at Gilt Groupe, a luxury shopping site. "The problem is later almost never comes," he says.
If a weak password system is put in place early in a company's life, it often remains untouched as the company grows into, say, a social-networking juggernaut. By then, the company's technology infrastructure has become more complex and costly to retrofit, leading to still more delays.
"Hopefully new companies starting out now will take a lesson from LinkedIn, and they'll build their password storage correctly," says Chris Wysopal, chief technology officer at Veracode, a Burlington, Mass., Web security firm.
Luckily, being an entrepreneur has advantages if you need to make password storage more secure. The task is "easier for small companies because they have less complex systems, they have less users to worry about," says Johannes B. Ullrich, chief research officer at the SANS Technology Institute, a network-security training provider. Startups with a clean slate can accomplish it in five minutes.
Here are some precautions you can take to fortify your company against password thieves:
Secure your website.
Most password thefts begin with an attack on the victim company's website. Have your site checked by a Web security expert for software vulnerabilities and coding errors that create pathways to your password database, or scan it for flaws yourself and fix anything amiss.
Store passwords safely.
Should a hacker get into your site, your best defense is passwords that are strongly encrypted so that cracking them would be painfully slow or nearly impossible, Ullrich says. Companies should "hash" passwords using a strong encryption technology, or mash it with an algorithm, and store only the resulting "hashed" version. During that process, they should also add "salt," or additional random data, to each password to further complicate efforts to crack them. It also helps to require users to set long and complex passwords, which can be significantly more difficult to guess than short or common passwords.
Unfortunately, many companies hash passwords using obsolete encryption technologies, such as SHA-1 from the 1970s. (LinkedIn used SHA-1 without salt.) SHA-1, MD5 and other still popular technologies were cracked by hackers long ago and offer little protection, experts say.
Companies ought to be using encryption methods designed for passwords, such as the free open source Bcrypt, which runs passwords through an encryption algorithm many times so that cracking them can literally take years. While this can be time consuming, it only has to be done when a user creates or changes a password.
Consider two-factor authentication.
Some people argue that passwords have had their day and simply need to be replaced with something stronger. That something is "two-factor authentication," which requires something you know (a password) and something you have in your possession. The second factor is often a device that provides a difficult-to-steal, one-time code that users enter along with their password.
If your passwords unlock particularly sensitive information, you may want to consider putting two-factor authentication in place, Wysopal says.
Thanks to Google, implementing two-factor authentication has gotten a lot easier for small companies in recent years. Google allows businesses to use OpenID to connect to its systems for free for authentication, which can include "2-step verification" with a text message to a smartphone. Or companies could implement this two-factor authentication themselves using the open source Google Authenticator.
Put it in writing and verify.
When hiring a Web developer, include password security in your requirements so the developer will have to fix any problems. Ullrich suggests going further and requiring your developer to commit to addressing the top 10 Web application security risks identified by the non-profit group OWASP, which include insecure password storage.
Also, make sure any third-party software you use, such as Web forms and content management systems, has a secure password arrangement. Hire a security expert, even if for a day, to review your password system and other site security measures and make sure they're safe and sound.