Keeping Passwords Out of the Hands of Hackers Password thefts at LinkedIn, eHarmony are a cautionary tale for other companies.

By Riva Richmond

entrepreneur daily

Opinions expressed by Entrepreneur contributors are their own.

Keeping Passwords Out of the Hands of Hackers

Could your business be the next one hit by hackers hungry for passwords?

After non-stop news of hacker break-ins at LinkedIn, eHarmony and other online sites resulting in millions of leaked passwords, you may be wondering if your business is any better prepared or protected. It's a good question, given the risks. Stolen passwords that give intruders access to your systems can lead to costly scams and fraud, wreck your company's reputation, prompt customer defections and spawn significant cleanup costs.

Few companies store passwords properly, even though doing so usually isn't difficult, security experts say. Most Web developers are not schooled in current best practices and fail to implement sufficiently strong security technologies. Often, they neglect security or plan to add it later, says Aleksandr Yampolskiy, chief technology officer at New York-based Cinchcast, a webcasting startup, and former head of security at Gilt Groupe, a luxury shopping site. "The problem is later almost never comes," he says.

If a weak password system is put in place early in a company's life, it often remains untouched as the company grows into, say, a social-networking juggernaut. By then, the company's technology infrastructure has become more complex and costly to retrofit, leading to still more delays.

"Hopefully new companies starting out now will take a lesson from LinkedIn, and they'll build their password storage correctly," says Chris Wysopal, chief technology officer at Veracode, a Burlington, Mass., Web security firm.

Related: Free Tools for Improving Online Security

Luckily, being an entrepreneur has advantages if you need to make password storage more secure. The task is "easier for small companies because they have less complex systems, they have less users to worry about," says Johannes B. Ullrich, chief research officer at the SANS Technology Institute, a network-security training provider. Startups with a clean slate can accomplish it in five minutes.

Here are some precautions you can take to fortify your company against password thieves:

Secure your website.
Most password thefts begin with an attack on the victim company's website. Have your site checked by a Web security expert for software vulnerabilities and coding errors that create pathways to your password database, or scan it for flaws yourself and fix anything amiss.

Store passwords safely.
Should a hacker get into your site, your best defense is passwords that are strongly encrypted so that cracking them would be painfully slow or nearly impossible, Ullrich says. Companies should "hash" passwords using a strong encryption technology, or mash it with an algorithm, and store only the resulting "hashed" version. During that process, they should also add "salt," or additional random data, to each password to further complicate efforts to crack them. It also helps to require users to set long and complex passwords, which can be significantly more difficult to guess than short or common passwords.

Unfortunately, many companies hash passwords using obsolete encryption technologies, such as SHA-1 from the 1970s. (LinkedIn used SHA-1 without salt.) SHA-1, MD5 and other still popular technologies were cracked by hackers long ago and offer little protection, experts say.

Related: Three Tech Tools for Keeping Sensitive Business Data Safe

Companies ought to be using encryption methods designed for passwords, such as the free open source Bcrypt, which runs passwords through an encryption algorithm many times so that cracking them can literally take years. While this can be time consuming, it only has to be done when a user creates or changes a password.

Consider two-factor authentication.
Some people argue that passwords have had their day and simply need to be replaced with something stronger. That something is "two-factor authentication," which requires something you know (a password) and something you have in your possession. The second factor is often a device that provides a difficult-to-steal, one-time code that users enter along with their password.

If your passwords unlock particularly sensitive information, you may want to consider putting two-factor authentication in place, Wysopal says.

Thanks to Google, implementing two-factor authentication has gotten a lot easier for small companies in recent years. Google allows businesses to use OpenID to connect to its systems for free for authentication, which can include "2-step verification" with a text message to a smartphone. Or companies could implement this two-factor authentication themselves using the open source Google Authenticator.

Related: How to Repair a Damaged Reputation Online

Put it in writing and verify.
When hiring a Web developer, include password security in your requirements so the developer will have to fix any problems. Ullrich suggests going further and requiring your developer to commit to addressing the top 10 Web application security risks identified by the non-profit group OWASP, which include insecure password storage.

Also, make sure any third-party software you use, such as Web forms and content management systems, has a secure password arrangement. Hire a security expert, even if for a day, to review your password system and other site security measures and make sure they're safe and sound.

Riva Richmond is a freelance journalist who has covered technology for more than a decade. She focuses on computer security, privacy, social networking and online business and has written for The New York Times, The Wall Street Journal and other national publications. Previously, Riva was a technology reporter at Dow Jones Newswires and regular contributor to The Journal's "Enterprise" small business column.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business News

Woman Goes Viral After Recording Her Disastrous Call With HR After Being Let Go: 'They Tried to Gaslight You'

Brittany Pietsch posted a nine-minute-long clip of her firing from Cloudflare on TikTok, and it went viral. The company's CEO responded on X — and also went viral.

Data & Recovery

Give Your Website a Security Boost with Windows Servers 2022 for $39

There are two installations from which to choose: Sever Core or Server with desktop experience.

Starting a Business

I Was a 25-Year-Old Nurse When I Started a Side Hustle to Combat Anxiety. It Made $1 Million in 7 Months — Then Sold for a Life-Changing Amount.

Sarah Michelle Boes knew there had to be a better way to prepare for her stress-inducing nurse practitioner's exam — so she created it.

Business News

Dell Reportedly Told Remote Employees to Come Back to the Office or Forgo the Chance to Be Promoted

Dell laid off 5% of its workforce, around 6,650 workers, in February 2023.

Business News

MacKenzie Scott Donates $640 Million to Non-Profits After Elon Musk's 'Ex-Wife' Comment on X

The winning applicants span 38 states, Washington, D.C., and Puerto Rico.