Zeichick’s Take: Secure those passwords!

By Alan Zeichick

October 1, 2012 — Stories about hacked or stolen password files keep coming. One of the most recent is a breach at IEEE.org, where 100,000 plaintext passwords were stolen a few weeks ago. The IEEE confirmed it a couple of days ago:

25 September 2012 — IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation, and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected.

IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

There are two underlying problems: One we can address; one we can’t.

The problem we need to address is that programmers are sloppy. The application calls for having some sort of login with user names and passwords. So what do programmers do? They store the username and passwords as plain text in some sort of lookup table. They store the password lookup table in a volume where it can be accessed over the Internet.

The fixes are simple:
1. No plain-text storage systems—ever! Encrypt. Hash. Rinse. Repeat.
2. Don’t store the lookup table anywhere where it can be accessed remotely.
3. Don’t record passwords in log files.
4. Forget rules 1, 2 and 3. Instead, don’t let your programmers roll their own identity-management system. If one needs to be built, make it a separate project and subject it to serious design work, security auditing and penetration testing.

No matter how trivial the “at risk” data, don’t create a lame login system. Ever. If a login/password system is required, take it seriously from a design perspective. It’s an attack surface!

That brings us to the second problem, the one we can’t address. Humans tend to reuse their passwords. They might have the same username and login in every e-commerce site. You’ve cracked one, you’ve cracked them all. And you know that same login/password might also be their e-mail access code, their remote network admin login/password, and their corporate portal login/password.

If your system uses an e-mail address as the login, perhaps you’ve made life easier for your end users. You’ve also made it much easier for hackers to target your system, and for them to exploit a stolen login/password list from another site. If chuck@bobobomail.com uses a password of DontGuessMe123 on one site, he’s probably using it on your site too.

Practically speaking, there’s nothing we can do about password reuse. But we can—we must—make sure that our own identity-management systems are secure. If the IEEE can fail, we can too.

Alan Zeichick is editorial director of SD Times. Read his blog at ztrek.blogspot.com.

Related Search Term(s): IEEE, passwords, security

Share this link: http://sdt.bz/37007

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan.

Department of Homeland Security lays down security suggestions Common Weakness Enumeration version 2.0 highlights flaws in software development practices

Metadata Security for SharePoint Adds Security Permissions Titus Metadata Security for SharePoint allows permissions to be assigned based on the recipient's Active Directory properties

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...