It is Time for Website Login Credential Compliance Programs

Date: 2011-06-17 11:30:00

By Ken Klein, Healthy Passwords
June 17, 2011 11:30AM EST

Yesterday's posting of 66,000 stolen email and passwords by a prominent hacker group illustrates a huge problem. Password reuse is as bad as leaving your credit cards laying on your car dashboard.

It's time to talk about reforming website regulation around authentication. In 2004 the Payment Card Industry Security Standards Council (PCI SCC) was formed to combat this same problem with credit card data. Because a handful of large card issuers had a big stake in the problem, getting them to join forces and create standards was easier than any state sponsored or voluntary effort.

If a website accepts credit cards as payment, they must meet the PCI requirements. These are enforced by annual questionnaire for low volume vendors and audited by third parties for large volume vendors.

The high level requirements set by the standard include a few common-sense practices such as:

Storing cardholder data on the non-public side of a firewall.
Encryption of cardholder data across open public networks.
Business policies restricting cardholder data access.
Regularly testing security systems and processes.

There are many more, but the key is first having a set of standards then auditing for compliance.

The nature of the web has been innovation. Web entrepreneurs don’t have to create business plans, find investors, lawyers, and accountants before starting their business. They just need a credit card, 5.99 a month and a developer. For the technically inclined, starting a web business is easy. They can cobble together a website that looks as good as any other. If they happen to time it right, or hit a niche that others missed, they can take off and before you know it, they have collected a few hundred thousand email addresses and passwords that are ripe for hacking.

The proper way doesn’t have to take a big budget. It does however, require knowledge. Secure sites architect a secure solution before they start building the site. They think about how “authentication” (usernames and passwords) will happen and they think about how to secure them.

PCI works for credit cards because card issuers can revoke a sites ability to accept their when sites fail to comply. There is no such luxury for the authentication problem.

The best way to solve this problem is for users to ask websites about their security before giving any information. The questions you should ask are:

Is your login screen completely hosted on an encrypted connection?
Do you store username/email and passwords on the same server the website runs on?
Do you hash or encrypt passwords?
Do you separate the authentication pairs (username / password) onto different systems, making one compromised credential useless without the other?
Do you outsource authentication. If so, do they adhere to the previous four rules?

Sending an email and waiting for a response that may never come is not practical when the site has something you need. If enough people start asking questions, sites will begin to feel threatened if they cannot answer them, and start fixing their problems.

The best option for you is this: If you visit a site that wants your username and password. Send them the email asking the five questions. Then use a junk email account that you use for nothing important or even create an email account just for that site. Use the junk email and an appropriate junk password counterpart. If they are compromised, you will not be jeopardizing anything. You also will reduce your primary inbox spam.

Category: Breach

Subcategory: Passwords