Recent Blog Posts

The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The minimum length for user-selected passwords should be 8 characters, and ones with 64 characters or more should be allowed. The number of possible passwords goes up exponentially with their length, so a long one is a strong one. Letting the user store a hint about the password is a really bad idea. It makes it easy to remember, but also easy for someone who sees the hint to guess. A service should check the user’s chosen password against a list of easily guessed ones. If there’s a match, the user should be required to pick another one. Too many people will pick obvious ones like ?123456? (which is also too short) or ?password.? Passwords should never be stored directly on the server. Instead, it should store a hash of the password that meets certain minimum requirements. A hash is a value which is algorithmically derived from the password but doesn’t allow the password to be regenerated from it. This way, even if someone gets the password data from the server, the actual passwords aren’t compromised. The number of login attempts in a session should be limited. Password entry should use a secure connection. Those requirements shouldn’t surprise many people, but now it gets interesting: The service shouldn’t ?impose other composition rules.? That means it shouldn’t require, for instance, digits and special characters. NIST says that ?users respond in very predictable ways to the requirements imposed by composition rules.? Adding a digit to the end of a password or replacing ?o? with ?0? doesn’t do much good. The service shouldn’t require periodic password changes for their own sake. It just makes people choose easier passwords or write them down next to the computer. Users should have the option of seeing their password as they’re entering it. Hiding it is good if others might see the screen, but it makes it hard to enter complex passwords, especially on a mobile phone keyboard where typing errors are easy. Information theory says that a strong password is one with high entropy. Entropy, roughly speaking, is a measure of randomness. When applied to passwords, it’s measured in bits. The idea is that the number of possible passwords someone would have to guess from is the number of alternatives you can express in that many bits. Each additional bit doubles the amount of work needed to guess the password. The NIST document, though, finds this concept too vague to be useful and says that methods of calculating entropy aren’t very accurate. A known password has just one […]

On July 29th, it was discovered that cybercriminals had ?exploited a U.S. website application vulnerability to gain access to certain files,? according to the company. In the statement released on August 7th announcing the breach, Equifax reported that those responsible had managed to access information including names, birth dates, addresses, Social Security and Driver’s license numbers. 209,000 people also lost their credit card information, and dispute documents with personally identifiable information were accessed affecting another 182,000 people. The scope of this attack is staggering, especially considering that the total population of the United States is estimated by the Census Bureau to be 324 million adults. A quick calculation tells us that the 143 million potentially affected makes up a full 44 percent of the country?s total adult population. As if this situation isn?t bad enough for Equifax, the activities of some of the company leadership are also being called into question. Chief Financial Officer John Gamble Jr., U.S. Information Solutions President Joseph Loughran, and Workforce Solutions President Rodolfo Ploder sold almost $2 million in company shares mere days after the breach was uncovered. While it is not yet clear if the breach and these sales are connected, Equifax has released a statement stating that the men had no knowledge of the intrusion when the sales were made. The company?s stocks fell by more than 12 percent shortly afterward. Equifax is currently working with state and federal authorities, including the FBI, and is actively alerting those whose information was accessed through the mail. We suggest that you keep an eye on your mailbox in case you have been breached. There are plenty of websites and services, including one from Equifax, dedicated to determining whether or not your personal information was accessed–all you have to do is give these sites and services access to your personal information. In light of what has happened, we do not recommend taking this route. Instead, you should be careful to monitor your own financial information and to report any oddities to the proper authorities. You may also be tempted to enroll in an identity protection service. Equifax themselves are offering a free year of monitoring from their service, called TrustedID. However, there have been reports that enrolling in this service will leave you ineligible to participate in a class action lawsuit against Equifax. If you decide to enroll, make sure you understand all of the fine print. Otherwise, you should make sure to go through and change your passwords and watch your credit statements for suspicious activity. This is especially true if you utilized any of Equifax?s business services, as your business could be affected as well. If you suspect that your information was stolen, the Federal Trade Commission offers a helpful guide to determining if that is the case. If so, you need to report it to the Federal Trade Commission as well as place a fraud alert on your credit report.

Business-critical data can be corrupted in a multitude of ways. Malware, hackers, hardware failure, and even user error could put your business in a very precarious position if you fail to set up contingencies. In fact, a majority of small and medium-sized businesses will fail within 18 months if they are faced with a major data-loss incident. Our network-attached backup and disaster recovery system will ensure data that is lost isn?t lost for long. The BDR works wonders because organizations understand that in order to have any continuity in the face of disaster, critical information must be maintained. The device is attached to your network, and set up to your needs. Once you decide what business-critical data you want to protect, a full backup is performed. Subsequently the system will, at intervals that you choose, back up only files that are changed. This creates a much more lightweight solution than using traditional tape backups or manual HDD-to-HDD backups, as many organizations still do. The best part of the solution is that while the protected data is backed up on the NAS BDR, it is also automatically uploaded to the cloud. Hosted in an off-site data center, your data will be redundant in multiple places, both onsite and off, and ready for recovery when you need it. This provides the organization the secure data protection they are looking for in a backup system, without the manual work and downtime that many of yesterday’s top backup systems required. If you are looking for a way to protect your business from the threat of data loss, call White Mountain IT Services’s IT professionals at (603) 889-0800 to set up a consultation.