You might be tired of hearing about password managers, but these solutions are truly invaluable tools. And recently, there was another high-profile password hack where this time the target was a database full of FTP passwords at Web hosting firm DreamHost. More like NightmareHost now, thanks to inadequate password management.
Password management is something that simply must be more important to many of you than it apparently is. At DreamHost, the hackers got the FTP credentials of all shared hosting accounts by accessing a legacy table “storing passwords in plain text,” according to industry observer Ericka Chickowski.
Noa Bar-Yosef, senior security strategist at Imperva, told Chickowski that the hackers got “customer credentials to the FTP server,” which means they can “use these credentials in order to impersonate customers when accessing the FTP server,” which leads to all sorts of mischief, such as accessing customer documents and the downloading and uploading of unauthorized documents.
Here’s where a password manager comes in. “Companies need to put in a strong password policy as well as digesting the passwords before encryption,” Bar-Yosef said, ticking off some of the more common practices which, friends, we’ve been over before. Ever hear of banning common passwords and keyboard sequences, such as “PASSWORD,” “123456,” “abcdef123” and other really clever, impossible to guess or break passwords?
An old joke is the guy who made his password “Mickey Minnie Goofy Pluto Donald Bugs Sylvester Tweetie Washington” since he was told it had to be eight characters and at least one capital, but we’ll tell you something: That guy’s account wasn’t hacked.
Although you can beef up encryption all you want, there is no excuse for storing unencrypted passwords. However, Chickowski writes that the current debate among authentication experts is over the wisdom of storing passwords in unsecured, distributed databases at all. She cites Adam Bosnian, executive vice president of Cyber-Ark Software, a privileged identity management firm as saying, “Our perspective is to get rid of the whole concept of passwords in databases from day one. Put a secure credential management system on the front end, and all of this goes away.”
A couple of months ago TMCnet profiled a credential management system, Intercede’s MyID, which she described as a product for credential and identity management systems which will be offered by HP as a component of its Assured Identity Plus.
“Large-scale federal, state and local government agencies and major enterprise customers will be targeted by Intercede and HP under the agreement,” Dawson noted, writing that “a new standard for ease of use and integration is set by the secure and powerful COTS product, MyID Identity and Credential Management System. 14 U.S. federal agencies are already using MyID, and over two million smart cards issued under the Transportation Worker Identity program are also supported by deploying MyID.”
Major banks, aerospace and defense contractors and other organizations with high value assets are the corporate customers of MyID, as well as national ID programs and major health care initiatives around the world.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO East 2012, happening now Jan. 31-Feb. 3 2012, in Miami, FL. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. To register, click here.
Stay in touch with everything happening at ITEXPO. Follow us on Twitter.
David Sims is a contributing editor for TMCnet. To read more of David’s articles, please visit his columnist page. He also blogs for TMCnet here.Edited by Jamie Epstein