Bayt.com

Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What are best practices for secure password distribution after a data breach?

Databases Ethical Hacking Information Security Management
user-image
Question added by Absharul Haque , IT Manager , Royal Orchid Hotels
Date Posted: 2013/09/24
Upvote (0) Views (6) Followers (1) Answers (3) Report Question
Write an Answer
Register now or log in to answer.
Ayoub Tartir , PMP, GWCPgM, CISA, CISSP, CAP, CSSLP, FITSP-D, CEH, CHFI, CCNA, CCNA Security, Security+, Network+

You need, from the beginning, to choose a best hash method to encrypt the passwords which is SHA-386. Hashing is different than encryption, hashing is only a one way function, so if you hashed the passwords, you will not retrieve them back into a text format, while encyption is a two way function and you can retrieve the passwords back into the text format if the hacker knows the encryption key.

Ahmad Yassein
by Ahmad Yassein , Infrastructure Network Manager , Ministry of International Cooperation (MIC)

I highly encourage one-time passwords (OTP) systems. Two-Factor authentication mechanisms should be put in place for added security. However, security practices dictates that educating users is of a mandatory requirement when it comes to compromised credentials. Before even implementing any security tool, your users (employees) must be kept trained. Users are the main source of all security issues even if you have the golden globe in information security. 

 

There are actually many methods to secure passwords in your place. Here are few of what i remember:

1) Use OTP systems.

2) Create a password policy so that passwords expire every30 days.

3) Of course, you guessed it, create a complex combination in your passwords. In my place, i use at least passwords of10 characters long, mixed with whatever you like.

 

 

Daanish Rumani
by Daanish Rumani , Product Manager , Publicis Sapient

Passwords should never be stored or transmitted. After an attack or a suspicion you should reset the passwords of affected or all users. They would have to choose a new password upon the first login after the reset.

 

You need to email the users with a password reset link. If all users do not have emails you can SMS them the new randomly generated password. Regardless of the medium used to communicate a new random password you need to ensure that the new password has validitiy for a small duration (1-3 days) or the first login whichever is earlier. Again the users must choose a new password upon their first login.

 

If email and SMS are also not possible then you need to search for alternatives such as Interactive Voice Response (IVR) or the like.

Write Your Answer
More Questions Like This

Do you need help in adding the right keywords to your CV? Let our CV writing experts help you.

Get Help