This past Thursday Inversoft CTO Daniel DeGroff was a featured guest at a gathering of a progressive group of software security and development experts in Denver. The focus of the night was to discuss the intersection of software engineering and security and share current perspectives on the challenges, strategies and solutions in the industry today. Daniel’s unique experience gained while developing the Passport CIAM and CleanSpeak profanity filter provided participants with a solution provider’s view of the user access and monitoring challenges they face.
We are a couple of days into 365 Days of Passport, and it’s time to give you a preview of our plans to grow.
The first step of our plan is a little counter-intuitive, specifically in the current market climate. Step one is to stay bootstrapped for all of 2018. We want to prove that even in a heavily VC-funded space like CIAM, you can build a better mousetrap without taking any money. We want to prove that bootstrapped companies can compete with the the others who have $50M in the bank.
It’s the first day back in the office in 2018 and everyone at Inversoft is on a mission. We are using the entire year of 2018 to solidify Passport as the premier solution for customer identity and access management (CIAM). We are calling this effort “365 Days of Passport”.
During the year we will be focusing on 4 main areas:
- Being developer focused
- Building features that matter
- Acquiring awesome new customers
- Success without investment
The first of these areas is an expansion on what we have always done. Starting with the launch of CleanSpeak in 2008, we realized that developers were a core component to our success. Developers are the ones that install and integrate our software. They are responsible for keeping the software running and usable. They ensure that the rest of the business (moderators, community managers, admins, etc) can leverage the software to be more productive.
In 2018, we are going to double down on these efforts. We will be improving our documentation, writing more examples and tutorials, writing more technical blog posts (on and about topics unrelated to our products), more speaking engagements, and a whole lot more nerdery.
The next area is focusing on building features that matter to our customers. We’ve heard from many people that CIAM solutions are often lacking specific features or have features they’ll never use. Rather than building every feature possible, we are going to get feedback from developers and build what they actually need. If you have a feature you need, let us know by emailing us at firstname.lastname@example.org.
Our next focus is on acquiring awesome new customers. We value open, honest and straightforward communication with our customers. We value feedback and collaboration. We aren’t racing to the bottom or looking to simply acquire hundreds customers to pad quarterly reports. We want to deliver solutions to companies that truly impact their business and we want to ensure that customers want to work with us.
And finally, bootstrapping is part of our DNA at Inversoft. Ever since I quit my day-job back in 2007 after acquiring my first enterprise customer, I’ve felt that I could build something great without taking outside money. Every year I’ve built on this idea and tried to help other entrepreneurs do the same.
The CIAM space is a little chaotic right now though. Companies are raising massive rounds while others are being acquired. Providers have killed entire APIs and kicked everyone off their products post acquisition. Startups are appearing and disappear as quickly as they arrived.
Inversoft has been in business for 10 years. We have great customers and continue to grow. We’ve proven that you can build a world-class business without taking a single dime from anyone. We now want to prove this is possible even in a crowded and heavily funded space like CIAM. We’re going to do it in 2018.
It’s going to be a crazy year, but we are looking forward to it.
Stay tuned for regular updates about how our plans are progressing.
JSON Web Tokens (JWTs) are a popular authentication mechanism for good reason. JWTs are designed to be stateless, portable identities making them ideal for consumption by web applications and extremely mobile friendly.
While the stateless benefit of a JWT is great, it does come with a problem: Once a token has been issued to the user, that access token is valid until it expires. This time window poses a security concern.
So how do you revoke JSON web tokens if you need to?
Inversoft has figured out how to revoke JSON Web Tokens with little impact on a security token’s portability. That’s why we’re teaming up with IBM developerWorks for a live coding webinar on Thursday, July 27.
Tune into the webinar to learn:
- What is the JWT security concern?
- Why token revocation is necessary?
- Traditional JWT revocation methods.
- How Passport solves this issue.
The webinar is free to attend and there will be a Q&A after to ensure you get the JWT answers you need.
Don’t miss this live coding event, register today.
Believe it or not there are still companies emailing users with plaintext passwords. Worse yet, some systems are storing plaintext passwords in the database. Storing or emailing plaintext passwords can increase security vulnerabilities by as much as 10x.
CU Boulder, a premier university, still emails their passwords in plaintext. Regardless of how complex a password is, if it is stored or emailed in plaintext, that password is easily accessible to anyone and security is compromised at a glance.
Bottom line. Do not store or email your passwords in plaintext. It’s a horrible idea. Here’s why:
Storing plaintext passwords
- If the database is compromised, the hacker now has access to everyone’s password. That means people who use the same password across sites are in jeopardy of having their bank accounts drained or their identities stolen.
- If there are vulnerabilities that would allow SQL injection, hackers don’t even need access to the database server to get passwords.
- Database backups are also vulnerable. A hacker can now attack a backup server and get access to passwords.
Emailing plaintext passwords
- Emails can be forwarded accidentally. This could mean a password might be leaked by a user that mistakenly forwards the email to their team or the whole company.
- Some email servers aren’t secure. Emails are stored plaintext on most email servers, so if a hacker gets access to the server, they can just run a script against the email database and find plaintext passwords.
- Emails aren’t always encrypted on the wire (when they are sent from your computer to the SMTP server or between SMTP relays). A simple packet sniffer can intercept emails and be trained to look for plaintext passwords. If you are sending emails from a hosting provider that supports multiple companies (like AWS or Rackspace), a hacker can put a packet sniffer on the same network and read your emails.
- Emails aren’t a direct communication. Emails bounce between servers on their way from your outbox to someone’s inbox. Emails are rarely encrypted and therefore might be intercepted as they bounce around and are easily readable by a machine.
- Strong encryptions. Passwords should always be hashed using a strong, one-way hash algorithm. In addition to using a hashing algorithm, you should also be salting the password and performing multiple hash passes. This will prevent brute force or lookup attacks on passwords. In the event that the user database is compromised, it will still be nearly impossible to reverse engineer a user password from the stored hash.
- Verification ID. Never email a plaintext password. If a user forgets or needs to change their password, send a link (with a random verification ID) that allows the user to securely change their password within a set time period. The company should never know the user’s password.
- Multi-factor authentication. If the above fail and the password has been compromised, using MFA or 2FA keeps the user account secure. Two-factor authentication enhances user login security by requiring something the user knows (password) with something the user possesses (their cellphone for example).
- Password invitations. If you are manually creating user accounts and need users to set their own passwords, avoid sending a random or temporary password via email. Instead send the user an email or push notification allowing them to set the password themselves.
Inversoft is a security company, focusing on identity and user management. Our product, Passport ships with code based 2FA, brute force login detection, password hashing, forgot password, email templates and more. See our free Guide to User Data Security for more suggestions on Password Security.