Rethinking Password Protection: Best Practices for Handling User Passwords
Page Media
We often think of passwords as the "house keys" of the digital world, but there's more to that metaphor than you might realize. Home security is about designing good keys and good locks — and using them properly. It's about putting spare keys somewhere safe rather than under your doormat. It's about knowing that the lock and key guard the only way in. And it's about systems that sound the alarm when the lock isn't enough. In the online world, providing users with strong "keys" (which may be more than just passwords), following best practices for storing those keys, and ensuring that customers are notified about breaches or unusual activity fill the same role. Does your company take these steps to keep your users' online homes secure, or just hand users a rusty key and wish them luck?
One simple way to help your users secure their accounts is to help users choose better passwords – ideally passwords that are easy to remember but hard to crack, rather than the opposite. And make sure your password policies are clear and sensible; don't make the mistake AT&T did by coming up with arbitrary password restrictions.
One idea: helping users generate generating a gibberish phrase like "correcthorsebatterystaple" as a password.
Just don't actually suggest "correcthorsebatterystaple."
(Original comic: http://xkcd.com/936/)
In addition, offering security options beyond passwords may give your users additional peace of mind. One possibility is "two-factor authentication," which requires users to submit a second form of authentication – a one-time code received via text message or even a fingerprint scan – before accessing the service. Blizzard Entertainment came up with a stylish authenticator token for its online gamers who want this extra layer of security. And just this week, new leaked that Microsoft may be developing a mobile phone app to enable two-factor authentication when users log in from a new device or unusual location.
Developing strong internal policies for managing and storing user passwords and related data can also help secure your users' data and build trust in your service. Following best practices like those described in the ACLU's Privacy & Free Speech: It's Good for Business can help you make sure your technical systems for storing user passwords and password-related data are up to date, manage internal access to user information, and ensure that employees properly handle user passwords and other sensitive data. Keeping your practices up to date means that you are more likely to keep your users' passwords safe, which helps you to avoid bad press, data breach fines, and civil lawsuits. Companies like Sony have learned first-hand that data breach fines and lawsuits are a reality when you don't follow best practices to protect your users' passwords.
Finally, since even the best security is never foolproof, make sure you have a clear and concise plan in place to get your users back to a safe place if something does go wrong. In particular, it is important to communicate with your users as clearly as possible to help them protect themselves and restore your own reputation. Informing users when their account has been accessed from a new device or location can help users prevent or remedy incidents outside of your control, while promptly informing users about any internal security breach helps them minimize the harms in that case as well. As in any difficult situation, make sure you communicate clearly and provide users with useful self-help advice or mechanisms; making it easy for users to immediately change their password can be helpful, but sending users an email with a link to such page while telling them to avoid clicking on links in an email isn't as useful. Having a well thought-out response plan will both let your users know that you care about their privacy, as well as minimizing or even eliminating any further harm that could come to your users' data.
Helping users keep their accounts secure isn't just good for them – it can help build trust in your company as well. For more tips on how to protect your users' privacy and free speech rights, check out our guide for companies, Privacy & Free Speech: It's Good for Business.
Chris Conley is the Technology and Civil Liberties Fellow with the ACLU of Northern California.
