2016 was an interesting year for the tombola Information Security team. Due to the growth of tombola we recently became a PCI DSS Level 1 merchant, meaning we are required to perform in-depth PCI auditing with an external auditor. As part of this process we brought in a Penetration Test company to help find issues that we needed to respond to.
The penetration test shone some light on some weaknesses that we hadn’t been aware of and really encouraged us to fix some issues. One of the areas that was highlighted from this was the strength and management of network user passwords. This prompted us to implement a system to improve the strength of our passwords.
In order to keep our whole infrastructure in-line with our password policies we have been moving to migrate our in-house applications to use Active Directory integration. As tombola is running 24/7 it is important that these accounts are available to our staff at any time of the day, without requiring the assistance of the support team. This was our motivation to implement a password reset portal.
It is no secret that weak passwords are a major security concern; password leaks now garner significant publicity in newspapers and online.
Public password leaks in the last few years have come from industry leaders such as Yahoo, Friend Finder, Hilton Hotels, Walmart, Adobe, eBay, LinkedIn, and NASDAQ. These huge leaks often are often millions of accounts – MySpace is believed to be the biggest leak ever; over 427 million customer passwords. Whilst we aren’t on the same scale as a lot of these companies, this goes to show that any company can be victim of a password leak.
A research study released in January 2017 by Keeper Security showed the top 25 most common passwords of 2016 (https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/ ). ‘123456’ was the most common password, protecting nearly 17% of user accounts.
The study found that previously common dictionary words such as ‘baseball’ and ‘monkey’ have fallen out of the top 25, replaced by a frightening frequency of simple number sequences or keyboard patterns (qwerty, zxcvbnm, 1q2w3e4r).
Due to the rapid increases in computing power, password cracking is getting progressively easier and faster. A recent study used a 25-GPU cluster to crack every possible combination of an 8-character password in under 6 hours (offline cracking using NTLM hashes – http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ ).
To attempt to combat poor password practices and the increasingly likelihood of them being cracked, we implemented a solution called Specops Password Policy – http://www.specopssoft.com/product/specops-password-policy/
Specops Password Policy provides an extension to Group Policy that allows us to set very granular controls on password policies, using an installed ‘Sentinel’ to check passwords against the complexity requirements. This gives us all the standard options for password length and character types, plus a number of additional requirements.
Creating a dictionary list of common words allows us to prevent easily predictable passwords such as ‘tombola’ or ‘bingo’ from being used. We can restrict users from using part of their name, and prevent them from simply iterating the previous password – e.g. password1 to password2.
We can also enable the usage of passphrases, which are often recommended. This allows the user to bypass some of these rules as long as their phrase is >=20 characters. At this length password-cracking tools become nearly useless, and the passphrase is easier to remember for the user.
The great thing about Specops is that it gives us options to set different policies for different groups of users. Whilst all users are required to meet a compliance-required minimum complexity, we have created policies to enforce more complex requirements for privileged user accounts.
In additional to our regular security communication to the business, we have also distributed guidance on how to create secure passwords – the user is the most important part of the security of our accounts!
As our sites are live and active 24/7, it is critical that network accounts remain available for our Chat Moderators and Customer Service staff. The business requires accounts to be unlocked and passwords reset at any time of the day, without requiring an on-call engineer to deal with them.
For this reason we implemented Specops uReset – https://specopssoft.com/product/specops-ureset/
uReset is a cloud solution that allows users to manage their account without any assistance of the support team. Users can access the web portal at any time of the day to reset/unlock their account.
uReset uses over 20 supported ‘Identity Services’ to authenticate the user when they have forgotten their password. These services cover multiple access controls and include;
- Time-based One-Time Passwords (TOTP – e.g. Google Authenticator),
- Biometrics (Specops’ own Fingerprint recognition mobile app)
- SMS Tokens
- OAuth Tokens (e.g. sign-in with Facebook, Google, Twitter, etc.)
- Security Questions
We also weigh and layer these services to require extra identification based on job role. Each identity service is allocated a ‘star-rating’ which shows how secure it is. The higher the star-rating the less services need to be used to authenticate. For example, we have valued a fingerprint authentication at 3 stars as a biometric service is significantly more secure than a one-star service such as Security Questions.
We also vary the requirements for authentication based on the user’s access to confidential data; privileged accounts require a higher level of authentication than standard accounts. This could mean that they need to provide 5 ‘stars’ of identity services rather than 3.
Through the implementation of Specops we aim to reduce helpdesk requests and improve account availability by letting users manage their own accounts, whilst still maintaining the security of the accounts and the password reset process.
Specops will serve as a valuable tool in protecting our users but we are still aware that the users are the most critical part of our security. We hope that empowering our staff to manage their own accounts will encourage better password management and security standards.