European Union cybersecurity agency Enisa has called on service providers and end-users to work together to protect online identities.
Passwords protect sensitive information, yet in the first half of 2012 alone, data breaches have exposed millions of citizens’ personal data including password information, said the European Network and Information Security Agency.
These breaches not only provided access to personal information, but also compromised other password protected services with stolen credentials being reused to attack other web sites, as people often use the same passwords for different accounts.
For users, keeping their passwords safe is vital to avoid identity theft, but online service providers who store usernames and passwords are expected to do the same, the organisation said.
According to Enisa, problems arise when security is compromised at either end of the chain. The organisation is calling on service providers to take actions to better protect sensitive data.
The security agency has published guidelines for online service providers that highlight the importance of storing password information securely, preventing data leaks, checking the efficiency of security controls regularly, and notifying authorities and affected parties of any data breaches.
The organisation believes that notifications about data breaches will contribute in the long term to better data protection.
"End users will receive all relevant information related to incidents involving their personal data, while the competent authorities will have an overview of data leaks in their countries. This will allow them to further enhance guidelines and recommendations for storing and transmitting data," Enisa said.
GUIDELINES FOR SERVICE PROVIDERS:
- Never store a password in plaintext.
- Store only cryptographic versions of the passwords.
- In addition, every password hash algorithm should employ a further layer of security by implementing salt and multiple iterations over the initial hash such as Salted SHA-256.
- Service providers should defend themselves against common attacks such as SQL injection attacks by implementing a proper SDLC (Software Development Life Cycle), taking special care of validation methods for inputs, parameters and variables.
- Every password-based authentication scheme should rely on a proper password policy enforcing password requirements such as minimum length, complexity, renewal frequency based on the sensitivity of the service provided.
- A more secure online authentication system should rely on a combination of mechanisms which reduces the success rate of an online attack.
- Login attempts throttling mechanisms like CAPTCHA and per-source limitation, further increase the security of an online authentication system and prevent automated attacks.
- When providing access to sensitive or critical information, service providers should implement two-factor authentication schemes.
- In cases of personal data breaches, existing European legislation already requires all telecommunications service providers to notify their competent national authorities and the individuals affected.
- The forthcoming reform of the data protection framework will soon introduce a general obligation of notification.
GUIDELINES FOR END-USERS
- Do not to reuse the same password for multiple accounts as attackers often try to re-use compromised passwords to access other services.
- If a password is stolen, it must immediately be changed.
- Use complex passwords longer than 8 characters which contain alpha-numeric and special characters.
-A long password does not mean it is hard to remember: four random common words mixed with special characters make a password strong and easy to remember.
-Change passwords for online accounts regularly.
- Make use of passwords managers.
- Take advantage of service providers that offer two-factor authentication.
LinkedIn investigating user account password breach
GUIDES TO BEST PRACTICE
Guide to managing passwords in the enterprise
For more security news, sign-up for our security newsletter.