For the most recent installment in the Federal Trade Commission’s “Stick with Security” series, the agency’s blog post focused on passwords.
Insist on long, complex and unique passwords, wrote Thomas B. Pahl, acting director of the FTC’s Bureau of Consumer Protection, as passphrases or longer passwords are generally harder to crack. You should also avoid the use of “obvious choices” like qwerty or ABCABC.
The smart strategy for businesses: “to think through their standards, implement minimum requirements, and educate users about how to create stronger passwords. Also, when you install software, applications, or hardware on your network, computers, or devices, change the default password immediately. And if you design products that require consumers to use a password, configure the initial set-up so they have to change the default password,” the FTC explained.
For example, set up a system to reject an obvious choice of password (such as “payroll” to enter a database that includes employee payroll information), educate employees about secure password choices and don’t allow employees to share passwords, the agency suggested.
Passwords should also be stored securely, and efforts should be made to guard against brute force attacks by suspending or disabling user credentials after a certain number of unsuccessful login attempts. The FTC advised that sensitive accounts should be protected with more than just a password, such as through multifactor authentication techniques.
In one example, a mortgage company that permits customers to access their accounts requires them to enter a secret verification code generated by an authentication app on their smartphone in addition to their password. “By implementing this additional protection, the mortgage company has bolstered security on its site,” the agency explained.
Companies should also protect against authentication bypass by allowing entry to a credentialed site only through an authentication point that prohibits individuals from skipping the login page and simply typing in a URL of a supposedly restricted page, the FTC said.
To read the FTC’s blog post, click here.
Why it matters: “The message for businesses: Think through your authentication procedures to help safeguard sensitive information on your network,” the FTC concluded. The third post in the “Stick with Security” series followed discussions of the importance of collecting sensitive information only when necessary and the ways access to data can be sensibly controlled. The next post will cover storing sensitive personal information securely and protecting it during transmission.