Passwords Remain Important for Data Security, FTC Reminds Businesses

Manatt, Phelps & Phillips, LLP
Contact

Manatt, Phelps & Phillips, LLP

For the most recent installment in the Federal Trade Commission’s “Stick with Security” series, the agency’s blog post focused on passwords.

Insist on long, complex and unique passwords, wrote Thomas B. Pahl, acting director of the FTC’s Bureau of Consumer Protection, as passphrases or longer passwords are generally harder to crack. You should also avoid the use of “obvious choices” like qwerty or ABCABC.

The smart strategy for businesses: “to think through their standards, implement minimum requirements, and educate users about how to create stronger passwords. Also, when you install software, applications, or hardware on your network, computers, or devices, change the default password immediately. And if you design products that require consumers to use a password, configure the initial set-up so they have to change the default password,” the FTC explained.

For example, set up a system to reject an obvious choice of password (such as “payroll” to enter a database that includes employee payroll information), educate employees about secure password choices and don’t allow employees to share passwords, the agency suggested.

Passwords should also be stored securely, and efforts should be made to guard against brute force attacks by suspending or disabling user credentials after a certain number of unsuccessful login attempts. The FTC advised that sensitive accounts should be protected with more than just a password, such as through multifactor authentication techniques.

In one example, a mortgage company that permits customers to access their accounts requires them to enter a secret verification code generated by an authentication app on their smartphone in addition to their password. “By implementing this additional protection, the mortgage company has bolstered security on its site,” the agency explained.

Companies should also protect against authentication bypass by allowing entry to a credentialed site only through an authentication point that prohibits individuals from skipping the login page and simply typing in a URL of a supposedly restricted page, the FTC said.

To read the FTC’s blog post, click here.

Why it matters: “The message for businesses: Think through your authentication procedures to help safeguard sensitive information on your network,” the FTC concluded. The third post in the “Stick with Security” series followed discussions of the importance of collecting sensitive information only when necessary and the ways access to data can be sensibly controlled. The next post will cover storing sensitive personal information securely and protecting it during transmission.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Manatt, Phelps & Phillips, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide