Tens of thousands of British Airways customers had an unpleasant surprise when they discovered their frequent flier accounts had been commandeered by hackers looking to book flights or siphon off accrued flier miles. While it’s still not clear where the cyber attack originated, one thing is clear: the hackers took full advantage of poor security practices on the part of the account holders. The airline reported that the intrusion was the result of “a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts.”
It appears, in this case, that attackers breached some other organisation or web site and stole credentials from that site’s backend database backend. The attackers likely cracked these stolen credential sets (the cracked password, and an email address associated with it) on the criminal underground, and possibly used some kind of automated tool to try all these lifted credential sets against British Airway’s site until they found some that worked.
While many security professionals have been calling for the death of the password, the reality is, the password is the foundation of a majority of security protocols. Until a more reliable, user-friendly option is rolled out, passwords are here to stay. So what can an IT security professional do to ensure your network – or your customers’ data – isn’t at risk of password theft?
1. Don’t make assumptions
Assuming that everyone in your company is already using passwords that meet security requirements is a big mistake. As TechCrunch reported in its list of the worst passwords of 2014, users are still relying on “123456” and “password.” As an IT security professional, it’s up to you to set and enforce the use of secure passwords across your organisation. Start with the basics and work from there.
2. Be unique
Above all, make sure users haven’t created the same password for use at multiple web sites. A recent survey by mobile identity firm TeleSign of more than 2,000 UK consumers found that 62 per cent put their credentials at risk by reusing their passwords across multiple online accounts. Hackers are counting on this bad user behaviour, so they can crack one password and help themselves to multiple accounts.
3. Go long
Passwords should be in excess of 14 characters so they can withstand password-hacking tools. They should also be a mix of words, numbers, symbols, and both upper- and lower-case letters. Encourage users to avoid passwords based on personal details such as birth dates, addresses or phone numbers, or names of family members. If employees have trouble trying to remember long passwords passphrases may be a better option. Passphrase use a full sentence, including spaces, punctuation characters, and some capitalisation. Since it’s a natural sentence, it will be easy to remember but tougher to crack.
4. Get an assist
The challenge with issuing and enforcing a corporate password security policy is that now, your team must manage all of these different and complex credentials, and supply passwords to staff when they forget them. Using a password manager simplifies the process and can help ensure compliance by generating random, 14-character passwords and managing them automatically.
5. Activate two-factor authentication (2FA)
Asking any third-party vendors you work with, such as cloud providers, to activate 2FA helps to mitigate the damage of a stolen password. One of the most popular methods of 2FA that is easily implemented is the use of SMS authentication codes. They offer an easy second token that almost anyone with a mobile phone number can use.
It’s hard to predict what the future of user credentials will be. The FIDO Alliance has published a new set of standards for software and hardware makers to help tighten password and identity security, including provisions for biometrics, 2FA and even facial recognition. But getting consumers to buy into these methods is going to take time, and it’s doubtful that biometrics will eliminate cyber attacks entirely, as they present their own risks. For now, the best we can do as IT security pros is to reduce bad user behavior, stay vigilant, and swap out those passwords regularly.
Corey Nachreiner is Global Head of Security Strategy & Research at WatchGuard Technologies. Corey has operated at the frontline of cybersecurity for 16 years. Primary author for WatchGuard’s Security Centre blog, he has written thousands of security alerts, is a prolific speaker, frequently conducts educational webinars and his video feeds have accumulated hundreds of thousands of views.