Privacy & Information Security Law Blog

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.

The practical guidance aims to make it more difficult for hackers to gain unauthorized access to networks. These security measures include:

• Insisting on long, complex and unique passwords. Companies should establish secure corporate password standards, implement minimum password requirements, and ensure employees are informed about how to create strong passwords. Obvious choices such as “ABCABC” or “qwerty” should be avoided and users should opt for longer passwords or passphrases when creating their login credentials. Passwords should be unique for each user and different passwords should be required for different applications. Additionally, default passwords should be changed immediately and when designing products that require consumers to use a password, they should be prompted to change the default upon set up.
• Storing passwords securely. Even the strongest passwords are ineffective if not securely protected. Disclosing a password through phone calls or emails, sharing a password with others or writing a password down without properly storing or disposing of the record may lead to the password being compromised. Compromised passwords that lead to more sensitive data are particularly risky (e.g., a password which provides access to a database of other user credentials). To mitigate these risks, companies should implement policies and procedures to store credentials securely.
• Guarding against brute force attacks. A brute force attack occurs where hackers use automated programs to systematically guess password combinations. For example, the program may attempt to log in with aaaa1, then aaaa2 and so on until it guesses the right combination. To avoid such attacks, companies should set up their systems to suspend or disable a user account after a certain number of unsuccessful login attempts.
• Protecting sensitive accounts with more than just a password. For certain kinds of sensitive data, companies may need to take additional steps to protect against hacking. Consumers and employees often reuse usernames and passwords across accounts, and if placed into the wrong hands, this can result in credential stuffing attacks. Such attacks occur where stolen usernames and passwords are input on a large scale into popular internet sites to verify if they work. To protect against this kind of attack, companies should combine multiple authentication techniques for accounts with access to sensitive data. For example, companies should require verifications codes that are generated by voice call, text or security keys that need to be inserted into the USB port to grant access. Requiring employees to log into a virtual private network to gain access to systems provides an additional layer of protection.
• Protecting against authentication bypass. Hackers who cannot gain access to a site through the main login page may try other methods, such as going directly to a network or application that is supposed to be accessible only after the user has signed on. To combat against this, companies should ensure that entry is allowed only through a secure authentication point and that there are no backdoors which hackers can target.

The FTC’s next blog post, to be published on Friday, August 18, will focus on securely storing sensitive personal information and protecting it during transmission.

To read our previous posts documenting the series, see FTC Posts Third Blog in its “Stick with Security” Series and FTC Posts Second Blog in its “Stick with Security” Series.