Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Policy. Show all posts

American Express Faces Criticism Over Weak Password Policies

 



American Express found itself under scrutiny as users raised eyebrows over their seemingly weak password policies. The requirements, limiting passwords to 6 to 8 characters with a narrow scope of allowed characters, have sparked concerns about the vulnerability of user accounts. This has ignited a broader conversation about the importance of robust password practices and the need for companies to adapt to advancing cybersecurity standards.

Upon investigation, it was discovered that a user who raised the issue received a response from American Express, defending their policy. The email claimed that the website employs 128-bit encryption, making passwords composed solely of letters and numbers more secure. The rationale behind avoiding special characters was explained as a measure to thwart hacking software, which supposedly recognizes them easily.

However, security experts argue that this explanation is flawed. The concept of password "entropy," representing the variety of possible values, is critical in assessing the strength of a password. American Express's limitations on character types result in low password entropy, potentially compromising user accounts. The assertion that hackers can easily identify non-alphabetic characters is debunked by cybersecurity experts who emphasise that allowing special characters and longer passwords enhances security.

Moreover, the email defended the 8-character limit by claiming it reduces keyboard contact, purportedly preventing hacking software from deciphering passwords based on common key presses. However, critics argue that the opposite is true – encouraging longer and more complex passwords would provide greater protection against hacking attempts.

In an effort to address the apprehensions voiced by users, American Express sought to reassure its clientele by emphasising the implementation of robust security measures. The company highlighted the presence of advanced monitoring systems meticulously designed to promptly identify any instances of irregular or potentially fraudulent activity related to card usage. Despite this assurance, a palpable sense of scepticism lingers among users, casting doubt upon the efficacy of the prevailing password policy. This incredulity suggests that, for users, the confidence in the overall security posture of their accounts may be influenced by factors beyond the mere detection of suspicious activities, placing a spotlight on the ongoing debate regarding the adequacy of the current password protocols in place.

The controversy has surfaced a review of American Express's password policies. It remains to be seen whether the company will adapt its approach to align with modern cybersecurity standards. As users await potential changes, the debate serves as a reminder of the importance of robust password practices and the need for companies to stay vigilant in the confounding world of online security.


What B2C Service Providers can Learn From Netflix's Accidental Model

 

Netflix made a policy error last month that might provide consumers with long-term security benefits. For other business-to-consumer (B2C) firms wishing to enhance client account security, this unintentional pro-customer safety action may serve as a lesson. 

On May 23, the streaming giant made its new "household" policy available to US consumers. Accounts will now be limited (with few exceptions) to a single Wi-Fi network and associated mobile devices. After months of stagnation and investor apprehension, it's a shot in the arm to treat the aftereffects of COVID and promote user growth. By banning the widespread practise of password sharing, the restriction may unintentionally enhance streamers' account security. 

"Sharing a password undermines control over who has access to an account, potentially leading to unauthorized use and account compromise," stated Craig Jones, vice president of security operations at Ontinue. "Once shared, a password can be further distributed or changed, locking out the original user. Worse yet, if the shared password is used across multiple accounts, a malicious actor could gain access to all of them. The practice of sharing passwords can also make users more susceptible to phishing and social engineering attacks."

With this new policy, Netflix is demonstrating how businesses may encourage or simply force its users to adopt better login practices, whether on purpose or not. However, changing client behaviour for the better isn't always as easy as it looks. 

Use of the gold biometric standard restricted for cloud services 

The mobile phone business is one area of tech that has long since found out how to assist users in logging in safely without sacrificing their experience.

Smartphone users have been selecting simple passcodes for years simply out of laziness or forgetfulness. When Apple debuted TouchID for the iPhone 5S in 2013, drawing inspiration from the Pantech GI100, things started to change. FaceID will soon make it even simpler for consumers to check in securely without slowing down anything, even if facial recognition technology wasn't nearly available at that point.

Even if biometric login is ideal, most businesses lack access to a ready-made solution, according to John Gilmore, head of research at DeleteMe.

"'Face unlock' on iPhones is an example of how this can be done in practice, but it is contingent on a specific device. For services which rely on users being able to access a service on multiple platforms, it is not yet feasible," he explained.

The main issue is that secure authentication frequently reduces usability when it comes to services. 

"Online services tend to resist implementing stronger security protocols because they see that it complicates the user experience. If you create a multistep barrier to entry, such as two-factor authentication (2FA), it is less likely people will actually engage with your platform," Gilmore added. 

Does this arrangement compel service providers to be clunky or unreliable? Experts argue against this. 

How to promote better account security behaviours

Both a carrot and a stick can be used for motivation. Epic Games, the maker of the online game Fortnite, is one business that has achieved success in the former. Epic developed new in-game awards for players who enabled two-factor authentication (2FA) on their accounts after a succession of security problems that affected thousands of the game's (sometimes very young) users. 

Never before have so many children "boogied down" over good internet behaviour! 

Consider Twitter as a case study in practise. Twitter said on February 15 that SMS-based 2FA would only be available to paid members. The decision was received with mixed feelings in the cybersecurity world because it seemed to discourage the usage of a crucial second layer of security, as explained by Darren Guccione, CEO and co-founder of Keeper Security. Although SMS 2FA is still an option, Twitter has switched to using the authenticator app or security key as the default for ordinary accounts. 

All of these instances show that businesses have a significant amount of control over how their customers interact with their security. All of these instances show that businesses have a significant amount of control over how their customers interact with their security.

In the end, Guccione says, "the ethical responsibility falls on the leaders of these companies to support and usher in changes that will ultimately protect their customers."

Attackers are Exploiting Weak Password Policy of Internet Users

 

A new report by vulnerability management firm Rapid7 disclosed that hackers attempt very simple usernames and passwords to breach third-party systems. 

The researchers employed a few hundred honeypots over 12 months to examine how hackers try to remotely breach foreign networks using the two most widely utilized types of remote administration systems - secure shell protocol and remote desktop protocol. 

Interestingly, threat analysts unearthed 512 thousand of cases in which the attackers could enter information from a well-known file called RockYou2021.txt that has close to 8.4 billion passwords employed by users. 

"We know now, provably and demonstrably, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet. Therefore, it's straightforward to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls,” Tod Beardsley, director of research at Rapid7 stated. 

According to an analysis by cybersecurity firm ESET, the exploitation of common passwords has risen dramatically during the COVID-19 pandemic, with password guessing becoming the most popular method of attack in 2021. To infiltrate third-party systems, the hackers employ usernames such as “user” or “admin” and passwords such as “123456”, “123456789” and “qwerty”. 

This emphasizes the poor choice of internet users while setting passwords. Last year in October, a cybersecurity researcher in Tel Aviv, Israel, discovered he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password.

"With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed," Rapid7 added in its report. "As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging." 

Mitigation Tips 

The researchers recommended organizations lock down RDP, including limiting all remote access attempts to only hosts that have been legitimized first via the corporate VPN, as well as changing the default RDP port to automatically sidestep many automated attacks. Organizations should also encourage employees to use password managers. 

Additionally, the businesses can employ a free tool such as Defaultinator, which Rapid7 designed to audit SSH and RDP endpoints, to ensure that production systems aren't using default passwords.









































































































Shopify Risking Customers Data by Employing Weak Password Policy

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).