Passwords, after all, are our core security to our identities, personal information, email, bank accounts, etc. After all the countless breaches in the past few years, on databases and leaks, we need better standards on passwords or to use a different type of authentication.
One of the biggest vulnerabilities in computer security is the password. Let’s face it. Something’s got to give! What exactly will it take to authenticate somebody with their own personal information or data without being discovered or hacked?
We reported about companies like Google doing new implementations of password security. It’s time for new methods. Especially when problems such as Twitter being hacked a couple weeks ago, compromising some 250,000 accounts.
We reported on password security changes first back in July, where we talked with recent password studies, it shows that people that are much older in age tend to pick stronger passwords.
Now, hashing algorithms are used to secure passwords in to databases. The current standards are usually SHA-1 and MD5. But, with newer studies on SHA-3, replacing the current SHA algorithms, this should make for better database security for passwords, and prevent hacks in the future.
Now, this isn’t 100% foolproof, but at least it’ll help some and fix password security for a couple more years at least.
“Password hashing is important because it’s where we have a problem. NIST has given us some great standard hashing algorithms. The problem is that these hashes aren’t necessarily designed for the specific problem of password hashing — where you need something that’s fast enough to hash on a server at login time, but slow enough that a GPU can’t crack ten million of them,” Password Hashing Competition‘s Matthew Green said. “We have a few functions for this purpose, but we don’t have a consistent recommendation to give implementers. NIST says to use PBKDF2, which is probably the most vulnerable to GPU cracking. We just learned that Twitter uses bcrypt — a nice algorithm, but designed 11 years ago when FPGAs and GPUs weren’t as common as they are today. Others recommend scrypt because it was explicitly designed to deal with these threats. Unfortunately that claim hasn’t really been reviewed by cryptographers.”
The National Institute of Standards and Technology (NIST) establishes the standards for cryptographic hash functions and other encryption standards. An update will be available soon on the new standards.
Hackers are always searching for ways to target and dismantle security. But, the questions do indeed continue about how hackers find a way in, how they exploit vulnerabilities, and ways to do this dismantling. What is the main answer? Research!
There are many different things that hackers do that gives them the wide open door into vulnerabilities:
- Hackers study their target well in advance of actual hacking. They do their homework, and figure out how strong the target is, how to exploit the vulnerability, method of attack, backup plan, and anonymity.
- Hackers commonly use search queries through search engines to create a map of the target’s vulnerabilities. Many different items can be for display when creating a map, such as server statistics (downtime/uptime), platform usage, coding languages, and other miscellaneous unspecific information.
- The map is configured carefully to build a complete intelligence database (which can be shared for high fees across the hacker community). It compiles a lot of information not only through research as explained above, but also uses government databases, financial filings, court records, etc. Who would’ve thought to check for stuff like that?
- The hacker’s main purpose after doing the research is to identify any security and technology officers on staff at the company. The hackers needs to know the security architect, how powerful they are, some of the recent meetings, new plans, etc. The hacker reads how the roadmap is for the officer, and whether the time to attack is good soon, or whether the hacking should be held off. (Not really a lot of time to decide, to be honest)
- The last stage of research before the planning of the attack, the hacker looks for business partners, trusted or strategic customers, suppliers, etc. that are used by the target. It may be easier, sometimes, to attack a smaller business partner than the actual target, some have argued. But, this information is dependent on the information gathered in the search engines and other info.
- Once this is all compiled, all of the information offers a list of likely points within the target to attack.
- The attack is usually staged, literally, in efforts to find the target point, nailing it at the right time, and exiting without being caught. This is in hopes of securing the vulnerability exploit well, and knowing the best route to escape.
- The hacker attacks when ready, and the operation is complete soon after. The idea or methodology for a hacker is to “push in, pull out” or like Facebook would say “Move fast, break things”. What a philosophy!
There is little that can be done, when you have a public company, and all the information on the company is widely available. People will do their research. You can reduce the significance of the threats of hackers by conducting the same research yourself, setting up your own map, and conducting competitive counter-intelligence. This can be a difficult things to learn.
It’s best to take necessary operations to ensure that if a hacker comes nearby, to always be ready using the following methods (some may not apply to your business):
- Secure all servers with adequate security protection. Through good amounts of searching on search engines, you can find a wealth of free tips and more whitepapers on good server security. Simply searching for “server security” will result in a lot of good results. Also, it’s good to look for SQL Security, which is a very good, invaluable resource.
- Encrypt passwords incoming to your server! When people enter passwords in to your website (for accounts and logins), make sure they get encrypted. If the passwords are being sent in plaintext form, this can make the passwords easy to read while in transmission to the server from the user’s browser.
- Always have good passwords at your end. Everyone should have a very good password. It’s best to have a password consisting of at least 8 total characters in the form of at least one capital letter, one small letter, one number, and one symbol. This is the best way, and the only other way to prevent it from being hacked easily. There is no longer 100% protection from your password being stolen. Some of the best passwords can be stolen easily. But, at least having a very good password will protect you while other security methods can be implemented (fingerprint scanners, voice activation, unique ID codes, etc.).
- Encourage your users to have good passwords, by forcing them to use the characteristics described above for their password.
- Have weekly meetings with your staff about how best to implement security policy, some of the latest threats, the analytics behind your network (server uptime/downtime, security breaches, etc.), and future plans to implement policies.
By following all these simple steps, your company can become widely aware of hackers and be able to implement good security policy that will save a lot of time and money!