If you follow us on Twitter (if you don’t, you can fix that now) you’ll notice that we post about data security breaches hitting the internet community. We don’t do it to be malicious or gloat about their failures, but to increase awareness beyond the core community of security professionals. Keeping computer systems secure is a complex challenge, and few people are well-versed in its many facets and subtleties. We deal with security every day with our customer identity and access management platform Passport, so we encourage as much discussion as possible to hear current trends and risks. We hear all the time “We just need to lock it down” or even worse “See? You can’t stop cyber breaches.” Fortunately, neither of these are true.
Today our team is excited to announce a few enhancements we have made to the Passport UI to improve user experience and efficiency.
First, we’ve updated the look and feel of the system. We have enhanced the aesthetic in order to reinforce function. New, modern font and style choices – guided by Material Design concepts – are not only pleasing to the eye, but allow you to perform the same functions and tasks, with less effort.
Inversoft’s new UI utilizes your OS system font to increase performance and decrease latency.
Passport’s default color palette provides a variety of contrasting hues and shadows to help establish a seamless sense of depth and separation.
Static, bordered tables are a thing of the past. Space and simplicity is emphasized, in place of harsh contrasting colors, to create separation within tables. Utilizing full width display allows for more information and functionality.
Buttons and icons are uniform across the new dashboard. You will always know what actions and tools are available to you no matter where you are within Inversoft’s new UI. Consistency highlights the workflow and allows our users to develop usage patterns through familiarity.
While giving you the same features, the new UI provides:
- Dashboard overview providing metrics and usage at a glance
- Responsive mobile and desktop screen usage
- Omnipresent user search bar for fast access to your user data
- Sidebar navigation
- Customization options (i.e. brand logo and hex code selection)
Our hope is that Passport is not only easy to use, but with our new UI you look forward to using it. Keep an eye out for new updates and enhancements.
Believe it or not there are still companies emailing users with plaintext passwords. Worse yet, some systems are storing plaintext passwords in the database. Storing or emailing plaintext passwords can increase security vulnerabilities by as much as 10x.
CU Boulder, a premier university, still emails their passwords in plaintext. Regardless of how complex a password is, if it is stored or emailed in plaintext, that password is easily accessible to anyone and security is compromised at a glance.
Bottom line. Do not store or email your passwords in plaintext. It’s a horrible idea. Here’s why:
Storing plaintext passwords
- If the database is compromised, the hacker now has access to everyone’s password. That means people who use the same password across sites are in jeopardy of having their bank accounts drained or their identities stolen.
- If there are vulnerabilities that would allow SQL injection, hackers don’t even need access to the database server to get passwords.
- Database backups are also vulnerable. A hacker can now attack a backup server and get access to passwords.
Emailing plaintext passwords
- Emails can be forwarded accidentally. This could mean a password might be leaked by a user that mistakenly forwards the email to their team or the whole company.
- Some email servers aren’t secure. Emails are stored plaintext on most email servers, so if a hacker gets access to the server, they can just run a script against the email database and find plaintext passwords.
- Emails aren’t always encrypted on the wire (when they are sent from your computer to the SMTP server or between SMTP relays). A simple packet sniffer can intercept emails and be trained to look for plaintext passwords. If you are sending emails from a hosting provider that supports multiple companies (like AWS or Rackspace), a hacker can put a packet sniffer on the same network and read your emails.
- Emails aren’t a direct communication. Emails bounce between servers on their way from your outbox to someone’s inbox. Emails are rarely encrypted and therefore might be intercepted as they bounce around and are easily readable by a machine.
- Strong encryptions. Passwords should always be hashed using a strong, one-way hash algorithm. In addition to using a hashing algorithm, you should also be salting the password and performing multiple hash passes. This will prevent brute force or lookup attacks on passwords. In the event that the user database is compromised, it will still be nearly impossible to reverse engineer a user password from the stored hash.
- Verification ID. Never email a plaintext password. If a user forgets or needs to change their password, send a link (with a random verification ID) that allows the user to securely change their password within a set time period. The company should never know the user’s password.
- Multi-factor authentication. If the above fail and the password has been compromised, using MFA or 2FA keeps the user account secure. Two-factor authentication enhances user login security by requiring something the user knows (password) with something the user possesses (their cellphone for example).
- Password invitations. If you are manually creating user accounts and need users to set their own passwords, avoid sending a random or temporary password via email. Instead send the user an email or push notification allowing them to set the password themselves.
Inversoft is a security company, focusing on identity and user management. Our product, Passport ships with code based 2FA, brute force login detection, password hashing, forgot password, email templates and more. See our free Guide to User Data Security for more suggestions on Password Security.
Software security is a big deal (167 million LinkedIn user account details are currently for sale on the dark web). Most applications fail to secure user data sufficiently, leaving them vulnerable to attacks resulting in dire consequences.
To combat this issue, we are excited to announce the release of our complete 2016 Guide to User Data Security. The guide compiles everything our development team knows about server and application security and delivers step-by-step code to help you secure your user data. It covers key concepts such as server architecture, firewalling, intrusion detection, password security, two-factor authentication, social hacks, SQL injections and more.
A healthy and engaged online community is critical to a company’s success. This is a hot topic amongst CMGRs and top industry influentials and while most people can agree on the importance of a branded online community not all agree on the path to achieving this safe environment.
If you have an active online community, you already know that not every user is a good user. Trolls, bullies and URL spam inherently present problems and there will be consequences if you simply ignore the issue.