by Nabil Hannan, Managing Principal – Financial Services, Software Integrity, Synopsys
What password security trends/themes have you seen emerging over the past year?
With many password leaks on the internet, organizations are starting to realize how important it is to store passwords securely in their applications. Storing passwords securely is not as simple as it might seem at first. Details of how to store passwords securely can be found here: https://www.synopsys.com/blogs/software-security/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/. The themes I’m seeing in the industry are:
- People are moving away from just username and password model (1 factor) to a 2 factor authentication model to protect their users in the case that their passwords get breached
- Social logins are gaining popularity and becoming easier to integrate and organizations are leveraging social logins to make signing up/authentication easier for the end user
What are some of the top password best practices that can be implemented on the org side? By end users?
On the organizational side, practices around the usage of strong passwords, regularly having users change their passwords, and making sure passwords are stored securely are important things to keep in mind. On the end users’ side, smart phones, tablets, and personal computers have software available where they’ll manage/synchronize your passwords across devices (Apple’s iCloud Keychain, Google Chrome’s password manager, etc.). There are also other paid passwords managers that end users can use. This allows them to let the password manager generate strong and unique passwords, and manage them across the end users different user accounts and machines.
Are passwords becoming passé? If so, what’s the future?
Although using passwords may not be the most secure way of authenticating, it’s simple, and people have gotten into the habit of understanding how to use the combination of username/password to authenticate. Eventually, passwords will become obsolete, and new authentication techniques leveraging social logins, sigle-sign-on, and biometrics will starting gaining more traction. Ultimately which solution is adopted in the future will depend on which solution the end users end up using the most.
What problems exist in terms of password storage? How can firms protect sensitive data such as passwords?
Storing passwords securely is challenging because it’s not quite as straight forward as just hashing or encryption the password and storing it. See: https://www.synopsys.com/blogs/software-security/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/
Other password aspects you’d like to discuss? Anything we can tie back to SIG offerings?
Passwords are just like any other sensitive data/asset of the software ecosystem. In order to design a system securely, organizations have to do the necessary business analysis to understand the importance of the data, do threat modeling to understand what controls need to exist to protect the data from threat actors, and then ensure those controls get included in the software requirements so that they actually get implemented and tested as part of the Secure SDLC.