The following was written by Equity Trust Company Chief Information Security Officer Jason Nester.
Since modifying our password policies to encourage the usage of “passphrases” and adding MultiFactor Authentication to our logon process, we have received a lot of great feedback and questions from our customers. Four specific questions have popped up more than others, and I wanted to take a moment to address them.
Why are your password policies different from everyone else?
This is the question we receive most often, and it is also the most important aspect of our new policies. Being different from other online services was exactly our goal.
Prior to our policy change, nearly every successful unauthorized logon to a myEQUITY.com account could be traced back to a compromise of a different website that the customer utilized. Due to customers reusing the same password across multiple websites, a single breach elsewhere allowed the attacker to access other website accounts, including myEQUITY.
We specifically designed our new policy to be unique from other websites to help prevent customers from reusing a common password, thereby providing better security for their myEQUITY accounts. So far, this policy change has proven to be very effective.
Video: myEQUITY Security Enhancements
Doesn’t MultiFactor Authentication remove the risk of unauthorized logons?
MultiFactor certainly helps reduce this risk, which is why we have deployed it. However, our records show that an overwhelming majority of our customers chose the least secure option of SMS/Voice when enrolling into our MultiFactor program rather than following our recommendation to use a MultiFactor application installed on their smartphone.
SMS is the weakest form of multifactor authentication and has several attack vectors. The most prevalent method of attacking SMS authentication is by tricking, or even bribing, employees at mobile phone stores to transfer control of a cellular number to a device under the control of the attacker. Your cellphone carrier likely employs tens of thousands of people who have the ability to transfer your phone number to another device. Each of these employees is a potential attack target for someone trying to gain access to your account.
Password reuse is also an issue here, as it is reasonable to expect customers who regularly reuse passwords do so on their cellular provider’s website as well. This provides an avenue for an attacker to make changes to a customer’s cell phone plan without their knowledge.
Recently, security reporter Brian Krebs wrote an excellent article detailing a far simpler and faster way for attackers to gain access to SMS text messages which I would encourage everyone to read.
In short, while we believe that adding MultiFactor Authentication to our logon process has greatly improved the security of our customers, we do not believe this to be a foolproof solution, and additional precautions must be taken to keep our customer’s accounts safe from attack.
How do you expect customers to remember unique passwords for every website?
We encourage customers to consider using a password manager application. This is an application you can install on your computer and/or smartphone that allows you to securely store your passphrases and passwords. The password manager is itself secured by a master password or by biometric controls such as fingerprint and face scanning. The result is that you only need to remember your master password, and that will give you access to all of your other passwords.
Furthermore, many of these applications are excellent at auto-populating the username and password fields of websites, meaning that the logon process becomes considerably faster and easier for the user. An up-to-date list of available password managers can be found on Wikipedia.
Additionally, we heavily encourage you to utilize a “passphrase” rather than a password. A passphrase is simply a sentence or collection of words. Passphrases are great because they are very easy to remember, but much more difficult to guess or crack.
What about account lockout policies?
This deals with the other common tactic for compromising accounts: Brute force logon attempts. During a brute force attack, an attacker tries to gain access to accounts by trying numerous common passwords.
A common misconception is that these attacks focus on a single username and attempt thousands of different passwords. If this were the case, account lockout policies after multiple incorrect attempts would indeed prevent the attacker from being successful. However, the way these attacks actually work is by trying the same common password across numerous usernames. This attack technique assumes that out of thousands of user accounts at least a few are likely to be using a simple, common password, and it is just a matter of time to find one. These attacks are often run slowly over many days, weeks, or even months in an attempt to stay under the radar.
At Equity Trust, we heavily monitor these brute force logon attempts and gather data about what the attackers are trying. Unsurprisingly, what we see is that over 75 percent of the passwords attempted in these attacks are below our minimum password policy requirements.
For the remaining 25 percent of logon attempts, the passwords are drawn almost entirely from publicly shared “password dumps” resulting from compromised websites, which we also prevent our customers from inadvertently using. These statistics show that our policies are effective in keeping our customers safe.
I hope these responses help explain the logic behind our passphrase and MultiFactor policies. These decisions were made specifically to help keep our customers’ assets safe from attackers, and we hope that our customers can appreciate our commitment to their account security. Attack techniques are ever-changing, and at Equity Trust we are constantly monitoring these changes to ensure that we have the appropriate defenses in place.
