While my company has rules for how frequently passwords are changed on such endpoints as corporate-issued laptops, there is a complete lack of rules regarding how often passwords are changed on third-party applications that users access for business purposes (e.g., Facebook, Twitter, etc.). Should enterprises issue guidance to users regarding password change frequency for such applications, and if so, what should that guidance be? In what instances should two-factor authentication be employed on third-party applications that support it?
Ask the Expert
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The most important rule regarding passwords for third-party applications is that different passwords are used for employees' personal and business personas. For example, the password Bob uses for his personal Twitter account should differ from the password he uses for the company's Twitter account. This requirement should be part of your acceptable usage policy covering the use of social media sites and other third-party applications. Avoiding password reuse minimizes the impact of phishing attacks and also stops a hacker from immediately accessing business-related accounts after obtaining an employee's personal-use password.
User accounts on social media sites are a prime target for hackers and cybercriminals. Require users to change their passwords for third-party apps as frequently as they do for corporate network accounts, and to follow password strength rules. Employees should not use the same password for all sites, and passwords used for network access should never be used for online accounts. These requirements are unlikely to be well received by users due to the inconvenience they pose. Awareness training highlighting the many instances of successful attacks against online account information can help illustrate the importance of strong and regularly changed passwords.
The privacy settings of social networking sites are by no means foolproof, but they can restrict access to profile data and limit what other members can see. Users should regularly verify that their settings are correct and check their account to see what information is publicly available. If the last login date is incorrect, erroneous changes appear on their profile pages, or unrecognized people appear in their contact list, then the account has probably been hacked. In such a case, users should be advised to immediately change the password and notify the provider.
Many applications, including Facebook and Gmail, now offer two-factor authentication. Apart from a little user training, there are no additional costs involved to implement it. Any organization whose risk assessment concludes that its employees may be the targets of spear-phishing campaigns should use two-factor authentication wherever possible.
Google Authenticator is free, open source and standards-based, and can be easily integrated with WordPress, Dropbox, Amazon Web Services and other applications to add two-factor authentication. The Google Authenticator app allows you to sign in even if your cell phone doesn't have a signal. Many apps such as Facebook allow the use of the open-standard authorization protocol OAuth, which provides access control for multiple independent services without sharing credentials.
Be aware that two-factor authentication does not provide positive identification, only authentication. Positive identification can only be achieved using biometrics. With nonbiometric authentication, as long as someone enters the correct combination of username and password, they are granted access, regardless of who they actually are. However, two-factor authentication that uses out-of-band authentication does require a hacker to go to extensive lengths to beat it, so systems that utilize out-of-band methods, such as a PIN sent to a smartphone, add an additional layer of protection.
This was first published in April 2013