From time to time, companies suffer from security incidents that lead to data leaks. This means that data is ‘stolen’ from their application or environment. When the leaked data contains user credentials, we talk about a ‘password breach’.
Does it happen a lot? Apparently, yes:
“More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year” (https://www.theregister.com/2022/06/20/in_brief_security/)
What can you do as a company to protect your customer accounts?
Here are a couple of basic tips one must take into account protecting your clients secrets.
Did you store the customer passwords in clear text? Did you log the credentials?
The customer is compromised. No matter how strong the chosen password was, it is leaked in clear text. Never store you customer credentials in clear text!
Did you store a password hash instead of the clear text password?
The customer might have a chance. If the customer uses a strong password and you calculated the hash using a unique salt and strong hashing algorithm, the password might not be compromised.
Do you offer multi factor authentication to your customers?
Even better. When the password is compromised, but MFA is in place, the leaked password on itself is not enough to access the customer data.
Is your login page protected against automated attacks?
When your authentication process is not protected against automated attacks, customer accounts can get compromised using brute force, password spraying or credential stuffing techniques. It is strongly advised to for example implement CAPTCHA’s. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#protect- against-automated-attacks
“Strong passwords stored with modern hashing algorithms and using hashing best practices should be effectively impossible for an attacker to crack.” (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
What can you do as a customer to protect your account?
Top 3 tips:
- Use long passwords: A strong password makes a difference.
- Use unique passwords: A password manager helps to keep track of all your passwords
- Change your password, use MFA and use more password security top tips!
Can I check if I was part of a data breach in the past?
Yes you can! Sites like https://haveibeenpwned.com/ offer a service in which you can check if your email of phone was part of a data breach and if so which one. It is strongly advised to change the password you used on that website immediately in all places you used the same one (if you didn’t follow our second tip above 😉 )