Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

How to Strengthen Website Authentication

By Roman Yudkin

When nearly 1.5 million user login credentials were stolen from Gawker Media group and published online, the breach harmed security not only for Gawker but also for a number of other, unrelated websites. Knowing that most people use the same username and password on multiple websites, spammers immediately started using the Gawker login credentials to try accessing accounts on other websites. The result triggered a massive domino effect across the Web - hundreds of thousands of accounts on Twitter were hijacked and used to spread spam, and many large sites including Amazon.com and LinkedIn prompted users to change their login credentials to avoid fraud.

The domino effect is caused not only by poor password practices on the part of users but also by the weak authentication requirements on websites, which can actually encourage users' bad behavior. The only way to stop the domino effect on website security is for businesses to stop relying solely on passwords for online authentication.

Finding a balance between competing forces.

To achieve strong authentication on the Web, IT professionals must find a balance among three separate forces whose goals are often at odds: the cost and security needs of the company, the impact on user behavior, and the motivations of the would-be attacker.

The goal of the business is to make website security as rigorous as possible while minimizing the cost and effort spent implementing security controls. To do this, it must take into account the behavior and motivations of both its users and the attackers.

In most cases, the attacker also conducts a cost vs. benefit analysis when it comes to stealing login credentials. The attacker's goal is to maximize profits while minimizing the cost and effort spent achieving the payoff. The more the attacker can do to automate the attack, the better the cost vs. payoff becomes. That is why keylogging malware and botnets are still the most pervasive threats, while more sophisticated man-in-the-middle attacks remain rare.

The user also instinctively performs their own evaluation of costs vs. benefits and behaves in a rational way as a result. Although it's easy to blame the users for choosing weak passwords or using the same password on multiple websites, the reality is that creating a unique, strong password for every website is not a rational choice. The cognitive burden of remembering so many complex passwords is too high a cost - especially if the user believes the odds of their credentials being stolen are small or that the business that owns the website will absorb any losses resulting from fraud. Thus, the security advice about choosing strong passwords and never re-using them is rejected as a poor cost/benefit tradeoff. No wonder users continue to have bad password practices.

The motives of the business, the user and the attacker are often competing but they are all intertwined and IT security professionals should not think of them as separate islands of behavior. We must consider them all when developing an effective security strategy. The goal is to achieve the optimal balance, having optimized the cost/benefit tradeoff for the business, made the security requirements easy enough for users to adhere to, and made it just difficult enough for the would-be attacker that it is not worth their effort.

Recommendations

The fallout from the Gawker Media breach demonstrates that the security of a company's website is affected by the security of every other website. You can't control the security practices at other companies, so you must implement measures to identify risk, add layers of authentication, and incorporate one-time passwords to stop the domino effect from spreading to your company's website.

Evaluate your business needs and consider the most common security threats.

First, consider the industry in which the business operates. What type of data needs to be protected and why? What form would an attack most likely take? (e.g. Is an attacker likely to steal user credentials and sell them for profit, or more likely to use stolen credentials to access user accounts and commit fraud? Are you most concerned about stopping brute force attacks, or could your site be a target for a more sophisticated threat such as a man-in-the-middle attack?) Are there data security regulations with which the company must comply? Who is the user population - are they employees, business partners or the general public? How security savvy is the user population?

Conducting an evaluation of the business needs, the most prevalent threats and the user behavior will help determine the level of risk and how stringent the authentication requirements should be.
Menu - More
Website Coding Issues

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268