In light of the massive Twitter security breach (yes, we’re still skeptical of the claim that it was just a password reset) earlier this month, some users might be worried about protecting their accounts on social media networks.
Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, posted some great suggestions regarding account security on the Perimeter E-Security blog (where he is a frequent contributor). Consider this one a freebie, social network aficionados! It’s not every day you get expert advice at no charge.
Protip no. 1: Password expiration:
“Prevailing security dogma holds that security passwords should be complex and frequently changed. But requiring your employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result. They will scribble passwords on sticky notes, re-use the same password everywhere, or make the absolute smallest changes to their passwords that they can while still complying with policy.
“For example, an employee might pick a ‘complex’ 8-character password ‘rosebud1!’ and then increment the ‘1’ every 90 days. Even worse, because passwords must be changed so often, IT managers use the shortest passwords their regulators will let them squeak buy with: 8 characters.
“For these reasons, researchers from Microsoft, Cambridge University among other institutions have concluded that password aging is a massive waste of time.
“It’s far better to require comparatively longer passwords that never change, such as passphrases or mnemonic passwords. Although employees will face a slightly longer learning curve initially, once they commit them to memory, they becomes reflexes. The best part: long passphrases can’t be broken as easily, so you’ve increased security and productivity at the same time.“
Protip no. 2: Using LDAP, AD, and single sign-onto reduce passwords you need to remember:
“As with password length and aging considerations, the employee’s ability to remember their passwords is a strong predictor of how likely (or unlikely) they will be to behave in ways that are less secure. The fewer passwords they have to remember, the less likely they are to make mistakes or game the system.
“Tying your applications into your LDAP or Active Directory servers is a good way to reduce the burden — think of it as the poor-man’s SSO. Full-blown single-sign-on (SSO) systems, of course, are even better. Consolidating password stores has benefits beyond just convenience, though.
“You also get better security because you can centrally enforce your password policies, and suspend access to applications and infrastructure much more quickly.”
Protip no. 3: Password management tools:
“I did not change my LinkedIn password until more than two weeks after LinkedIn disclosed that its password database had been hacked. I have previously used a third-party password management tool called 1Password, which creates an encrypted vault of passwords, all protected by a master password.
“I use it to generate unique, long and complex passwords for every website I join or log into. As a result, none of my website passwords are shared. They are all unique. And they can’t be easily brute-forced.
“Some of my passwords are 36 characters long. If you follow a strategy like this as well, when the next big website gets knocked over, you won’t have to care either.”
You can follow the Perimeter E-Security blog, which contains tons of useful security-related tips and information, here. This isn’t a dig on Twitter. They’re going to do everything they can to protect the security of their service, and they are looking out for their users. It just doesn’t hurt to be a little proactive yourself, and take some of that responsibility into your own hands.
0 Comments