There is nothing new in the European Network and Information Security Agency’s advice. For the user it includes not re-using the same password in multiple accounts; regularly changing online passwords and immediately changing a compromised password; using strong, complex passwords with the help of a password manager; and taking advantage of two-factor authentication wherever it is offered.
For the provider, advice is that passwords should never be stored in plaintext, but always hashed and salted. Strong passwords should be required and enforced. Two-factor authentication, perhaps via a mobile phone, should be offered wherever greater security is required. CAPTCHA mechanisms should be used to prevent automated attacks.
Further preventative advice is offered to providers. This includes “implementing a proper SDLC (Software Development Life Cycle), taking special care of validation methods for inputs, parameters and variables.” And a ‘breach notification’ policy should be implemented.
The problem, however, is that these basic measure are simply not being used. Users do not use strong passwords. When the RedHack group broke into the Ankara Police Department in Turkey earlier this year, it discovered that one of the passwords of the ‘secret police’ was 123456.
And the providers are no better. Tesco is currently being much criticized. It started a couple of months ago when security researcher Robin Wood signed up for an online account. But he “found that they were storing their passwords without hashing them – they either encrypted or just left them in clear text as they were able to email me my password back when I couldn't log in.” The reason he couldn’t login was because the password he entered, a strong password generated by a password manager, was too strong for the system and had been truncated.
This problem has since been verified by other security professionals. Troy Hunt yesterday published a detailed blog starting from similar circumstances and coming to the same conclusion. Tesco responded on Twitter, "Let me assure you that all customer passwords are stored securely & in line with industry standards across online retailers."
But, “Too many large companies are using bad password policies and are then ignoring the security community when they bring these issues to their attention,” Robin Wood told Infosecurity. “The standard lines are ‘we follow industry best practice’ and ‘we can't discuss our policy as it would weaken our position’.”
The first is wrong, he continued, “as most are being called out because they are not following the best practice and the second is wrong as a good security posture can be open and discussed without weakening it – for example, if they announced they were using Bcrypt with a long random salt then they would not lose any security but would gain respect and trust from users.”
Perhaps, then, that suggestion should be added to ENISA’s advice to providers: be explicit about how you store your customer credentials.