Air Canada was hacked because of a vulnerability within their application API, but what’s getting more attention is their “antiquated password policies” as described in news coverage of the breach. If your business has a mobile or web app, customer portal, active directory, or anything else requiring staff or clients to have account credentials, there is something to learn from this incident.
Here are six surprisingly simple ways to ensure you have solid (or at least non-antiquated) password policies:
1) Require Multi-factor Authentication
Sign-ins that require a password should always have multi-factor authentication enabled. By doing so, you ensure that even if the password is compromised, new devices are unable to access the account without a separate verification code sent to a known device (like the user’s mobile phone).
2) Include Complexity Requirements
Requiring passwords to be a certain complexity is nothing new. There are multiple ways to ensure your users’ passwords are complex:
Length: Include a minimum password length. The longer the password, the more difficult it is to compromise. It’s also helpful to include a maximum password length. This is so that you aren’t spending cycles resetting passwords that were too long for users to remember.
Character Type: Require passwords to have a variety of characters, of different types. Lowercase letters, uppercase letters, numbers, and symbols should each be required to ensure greater complexity.
Sequential Characters: Restrict passwords from being characters in a sequence, such as 12345 or qwerty. Such passwords were once typical and are easy to guess.
Non-identifiable: Restrict your users from choosing the most common passwords (like password), or passwords that include their account name or login. While these may be easier for them to remember, they are also easier to compromise.
3) Score Complexity, Show the User, Restrict Low Scores
Even if you didn’t require each of the guidelines above, by sharing the complexity of the password with your users they are encouraged to comply. You could also only accept passwords that meet a certain score. Going beyond the minimum threshold required by the rules above means creating passwords that are even more secure.
4) Include Age and History Requirements
The longer a password is in use, the more likely it is to be compromised. Have your users change their passwords after a certain amount of time (3 months for example). Once that is in place, you may find users “changing” their password to another that they have used before. Prevent this by including a history requirement so that they are unable to do so.
5) Adopt a Rigorous Reset Process
No matter how sophisticated your passwords are, they remain vulnerable if they can easily be reset or changed by anybody other than the user. Consider applying some of the complexity requirements from above to your password reset question answers. Ensure that the answers to the security questions are encrypted and that you are not revealing anything before they have been authenticated (remember the BMO/Simplii hack?).
6) Include a Lock-Out Mechanism
With ‘unlimited guesses’ any password can be determined through brute force attacks (bots entering random characters until they get the correct password) or dictionary attacks (bots entering most commonly used passwords from a list). By locking out user accounts with multiple incorrect password entries for a short time you can reduce the efficacy of such tactics. You don’t need to look far for examples of this – your mobile phone likely has a similar feature.
To their credit, Air Canada did disclose that the breach had occurred, contacted the specific users they thought to be affected and required all their users to reset their passwords. And the Credit card numbers (also stored within the app) were encrypted, so they appear to be uncompromised.
Speaking of encryption, part of the reason hackers may have gained access to passport data is that it was not encrypted. As the keepers of our clients’ data, we need to think more carefully about encryption and think beyond compliance requirements (like PCI). The passport data that was exfiltrated can have consequences for the people to whom it belonged – shouldn’t their protection have been a paramount consideration for app developers? Can we fault them when they followed the rules? Without a social/cultural change to be more conscious of this, or new compliance requirements specifying new types of data requiring encryption, this risk will persist.
By following the steps above you can reduce the likelihood of your users being compromised. You will also know that you adhered to the best practices (so you’re not called a dinosaur in the news). Of course, IntelliGO could help you reduce the risk of being in the news to begin with. Reach out to us to find out how.