Password Management Month in Review: November 2013
This is the first post of our "month-in-review" series of blogs. In this series, we will be taking a look back at the previous month in the world of password security, password management, multi factor authentication, single sign on, compliance news, and more.
Before we get started, we want to say that we hope all of our U.S. readers had themselves a great Thanksgiving. Holidays like this remind us to take a step back from the day-to-day happenings of our life, and just be thankful: for family, for friends, and for the lives we lead. Here's to finishing out the year a little stronger and a little happier.
The last month or so has been a real whirlwind. In addition to some of the regular password management news, there were some key password breaches that made our stomachs turn. Let's start with those.
The biggest one was the Adobe hack. There's one number you need to remember: 150 million. That is the estimated number of passwords that were uploaded to a database online. For what it's worth, Adobe claims the real number was closer to 38 million, but that's still a pretty big deal if you ask me. As you all are probably aware, people reuse their passwords across multiple sites. With the breach of Adobe, this puts other sites at risk as well.
Worse, the passwords used are a perfect display of bad password policy. The most commonly used password, with 2 million uses, was "123456". The second most commonly used password was "123456789", and the third most commonly used passwords was "password". You read that right. If you'd like to see the top 100 list, click here.
The next largest was the hack of Cupid Media, a niche dating site conglomerate. Not only did Cupid Media see 42 million passwords get stolen, but other important indentifying information such as names, birthdates, and email addresses. In this breach, another 2 million people had "123456" as their password.
Facebook, Twitter, Gmail, LinkedIn, and Yahoo
The most recent password breach affected 2 million accounts on Facebook, Twitter, Gmail, LinkedIn, and Yahoo. This was an unusual breach because the hackers utilized a botnet, and a series of keyloggers installed on user's computers, in order to catch them in the act of typing in their passwords. Don't worry, if you account was compromised, you would have received an email notifying you. (Pro-tip: if you used the one-time passcode capabilities of multi factor authentication, combined with the simplicity, conveniece, and added protection of single sign on, this wouldn't have been a problem.)
The final major breach for the month was Buffer, a social media publishing tool. This was one of the more mild hacks of the month, but it illustrates some key password security considerations. Because of their usage of oAuth, which utilized access tokens in order to gain access to publishing on the connected social media sites, Buffer was simply able to revoke access to those tokens. The result was that users simply had to re-authorize their facebook and twitter accounts, rather than having to deal with the consequences of stolen passwords.
To top things off, Buffer strengthen their security measures after the breach. In addition to providing stronger encryption, they also rolled out two factor authentication for their users. That gets a big thumbs up from me.
These are simply new examples of an age-old problem. Users will use weak passwords, and use them amongst many different sites. Some of these sites may even be critical systems such as Salesforce or Dropbox. A strong password policy will only get you so far, because some people will choose simplicity over security. As MSPs, your best bet is to roll out a system that provides the best of all worlds: strong security through multi factor authentication, simplicity and convenience through single sign on, and advanced password security management capabilities through credential management, access control, password automation, and password auditing.
Other Password Security News
Security Considerations for 2014
Fred Kost, a contributor over at SC Magazine (a magazine geared towards security IT), wrote an excellent article about security considerations for 2014. He covers three different areas of password security.
- Encryption: many companies will begin using more advanced encryption. This has already happened in 2013 with many providers of email and web applications moving to SSL encryption.
- Bring Your Own Device (BYOD) policies: BYOD has been a major trend for a while, with employees increasingly wanting to be able to use their own devices, rather than corporate-owned devices. However, as many of you may know, BYOD policies create an entire series of password security concerns, as the company has less control over the security used on the devices. While some companies will simply say "no', others will deal with the security concerns given the benefits (shifting device costs to employees, providing easier access to job-critical systems regardless of the device being used, and employee morale/retention).
However, it's vital that a strong BYOD security policy is implemented in order to keep yourself protected. We wrote a long blog post about creating strong BYOD security policies, if you'd like to check it out simply click here: "10 Steps to Creating and Utilizing a BYOD Security Policy"
- Multi factor authentication: like many other security experts out there in the world of password IT, he believes it is becoming pretty clear that there is a serious need to multi factor authentication. The ability to employ smartphone apps to generate the second form of authentication in MFA (rather than uncommonly used hardware tokens) will cause an increase in usage.
New PCI Standards Released
For those of you that accept transactions from payment cards, or have clients that do, the Payment Card Industry Data Security Standard (PCI-DSS) is a key piece of regulation. In November, the new standards were released. (For an excellent article on this from PCWorld, click here)
Companies have until December 31st, 2014 to implement most of the new standards. In light of these new standards, I'm preparing an 8-post blog series on PCI and developing a couple of guides and other resources, such as a checklist and glossary. Look for that content to be released start in January. If you'd like to keep updated on that, subscribe to our blog in the top right.
New HIPAA Compliance Standards Are Expected to Dramatically Decrease Unauthorized Access to Patient Health Information (PHI)
If you've been keeping up with our healthcare IT blog series lately, you know that we have been focusing on HIPAA. We've covered everything from the basics of HIPAA, to providing a full-scale HIPAA compliance checklist.
You would also know that the new HIPAA standards dramatically strengthened the law. One of the primary ways they did this is by increasing the amount of people responsible for compliance. While Covered Entitites used to be responsible, now Business Associates are also responsible for HIPAA compliance. If you are an IT service provider that works with companies that have access to Patient Health Information (PHI), this means you.
By increasing the amount of people responsible for compliance, you increase the amount of secured access to PHI, thus decreasing the amount of vulnerabe entry points that nefarious parties can exploit. Taylor Armerding over at CSO Online talks about this in a really great article.
Like I said, a whirlwind! Some good (stronger standards, a promise of stronger security in 2014) and some bad (huge, scary data breaches). If you're employing password management best practices for yourself (or your clients, if you are an MSP), then most of this probably just reaffirmed what you already know: strong password management systems, with multi factor authentication and single sign on, are future-proof.