Establishing a robust password policy

While passwords are intended to address the issue of authentication, they’re a source of considerable concern. We start with the problem of human nature. Insistence on complexity and uniqueness, along with regular changes, are typically considered among best practices in establishing password policy. But our natural inclination is to make things easy for ourselves; users typically set weak passwords because they’re easy to remember. Even worse, people tend to use the same easy-to-guess password, or variations on it, across multiple log-ins.
 
Complexity is the foundation of password security
 
It’s difficult to overestimate the importance of password complexity. A policy should set a character minimum, and also require the use of upper and lowercase letters, numbers, and special characters. Passwords should only be used once and checked against lists of known weak or compromised passwords. Passwords deemed unacceptable might include those obtained from previous breaches, recognizable “dictionary” words, repetitive or sequential letters or numbers, and context-specific passwords based on derivations of the username or service name.
 
Password expiry policies are detrimental to security
 
Many companies adhere to a policy mandating frequent password changes, with passwords commonly expiring after 90 days. However, this type of change policy is based on a threat model that no longer exists. Twenty years ago, it took hackers around 90 days to crack a password. Today though, a hacker can crack an average to bad password in the cloud in a matter of seconds. Studies have found that users who are required to make frequent changes choose weaker and more repetitive passwords. Employees who are required to frequently change their passwords also resort to regrettable methods to remember them – like the post-it note affixed to the bottom monitor. Ironically, password change requirements are little more than a placebo, and actually, increase the level of risk.
 
Moreover, the nature of the threat has changed, with password harvesting a greater risk than cracking. Cybercriminals have developed many methods for harvesting passwords: infecting computers with keystroke loggers, employing phishing websites, hacking text messages and more. If a password is compromised, the hacker will act in seconds. By the time the user gets around to changing the password, the damage has long been done. In May 2019, Microsoft itself validated the research on password expiry policies by discontinuing minimum and maximum password ages in the Security Baselines for Windows 10 and Windows Server build 1903.
 
Social engineering hacks are a significant threat
 
The vast majority of cyberattacks, somewhere north of 95% of all attacks, come in the form of social engineering hacks. In these types of attacks, the criminal depends on typical human behavior to gain access to information. They rely on trust or even simple error to gain access to information, including passwords. They can come through fake websites, phishing emails, fake transactions or faux IT support calls. The way to keep password information safe from these types of attacks is, first and foremost, to educate your workforce. Learning to identify and delete phishing emails unopened is a critical skill. Importantly, employees should be skeptical of any request for sensitive information. Never reveal passwords to anyone over the phone and avoid clicking on links embedded in questionable emails. Remember, social media and the wealth of personal information it reveals is a tremendous boon to hackers. A look at your Facebook posts can reveal your spouse’s name, your pets’ names, your birthday…all information people often use to create passwords.
 
Conclusion
 
Creating a robust password and keeping it secure are two of the most significant steps in maintaining information security. Every company should implement a password policy that focuses on complexity and random alphanumeric combinations. While multifactor and biometric authentication is playing an increasingly important role in security, the password will continue to be the foundational element of security in the near to medium term.
 
___

About the Author

Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.

 

Two-Factor Authentication is a Vital First Step in Enhancing Online Security

Two-factor authentication can enhance security, but it isn’t a magic bullet
 
Two-factor authentication is an important security measure; there is no question about that, as it provides an additional layer of security for accounts beyond the password. Factors include knowledge (of a password or PIN), possession (requiring a mobile device or security key) and inherence (facial, fingerprint or iris recognition). With two-factor authentication enabled, either a mobile device or a physical characteristic is required in addition to a password for login. But all two-factor authentication methods aren’t equally reliable. The more convenient the authentication method, the less secure it is likely to be.
 
The chimera of possession
 
Factor identification via text message, one of the most commonly used methods, comes with a significant vulnerability – your employee’s phone service provider. Remember, identification via text message relies on possession as a factor. If a phone or other mobile device is lost, the owner can simply go to her provider, buy a new device, and set it up using the same phone number. All of the information on the old device magically appears on the new one. Text-based factor identification will work exactly as it did on the old phone. And there’s the issue.
 
Moreover, your employees may receive text messages by means other than a phone – sometimes messages are routed to an iPad or an email, or even accessed online by users of VoIP services. The conclusion here is clear; one-time passwords sent via text message don’t prove that a device is in the hands of the rightful owner. Moreover, cunning hackers who already have other personal information may be able to successfully impersonate a phone’s owner and make changes with the provider that allows access to secure information.
 
The more devices on which a user installs two-factor identification, the more opportunities for security to be compromised. Other hacking technologies can gain access to text messages and intercept authentication codes.
 
Enhance your two-factor identification method for increased security
 
SMS-enabled authentication is better than no two-factor authentication, but fortunately, there are better authentication methods available. Five to ten years ago, many large financial services companies and corporations typically used code-generating hardware tokens — small devices given to employees which generated a new one-time password every thirty seconds. Today, these devices have been largely replaced with code-generating authenticator apps, which can easily be downloaded on employee mobile phones.
 
Another option is authentication through push approval. Applications like Duo Mobile and Microsoft Authenticator are notified when employees attempt to log in, and the app generates an option allowing the user to simply click for verification. This is a safer option on iOS devices, as there are malicious Android apps that can feign or hijack push notifications. Again too, these apps are only as secure as the phone.
 
The most secure type of two-factor authentication is a USB security key. This device plugs into the USB port of an employee’s laptop and is registered with an online service using a computer already “trusted” by the service. USB keys are relatively new to the market, support isn’t widespread, and they’re expensive. Growing pains aside, these security keys offer the most secure two-factor authentication available.
 
Reviewing access and login processes is a vital first step in beefing up system security and safeguarding your company’s data against predators. Throughout April, we’ll look at several measures companies can take to protect themselves and their clients.
 
About the Author

Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.