Drake Software blog for tax pros, covering tax, IRS news, and more

Require Secure Passwords and Authentication

It’s a scenario that ought to scare the heck out of us all: You come into the office early one Monday morning only to find that someone from outside the organization has managed to get into your computer system. And no one knows what the intruder was able to access.

Incidents like this tend to play out mainly because the office computer system was protected by passwords that were easy for an intruder to crack. The days of using a one-word password—like “password”—are long gone. Office passwords should be long, complex, and unique.

The Federal Trade Commission has some guidelines for businesses on passwords and authentication practices. We’ve got a few highlights that can make a difference in your office.

The First Defense

Whether you’re a “one-man band” or part of a multi-professional office, your computer passwords serve as the initial barrier to hackers. So, obvious choices for passwords are like hanging out a “Hack Me” sign. When designing passwords, longer is better because longer passwords are generally harder to crack. In fact, passphrases can be even better than passwords, especially if they don’t make literal sense. “BananasFlyAtPurpleCigars” might be a good choice, for example.

Whenever you install hardware, operating software, applications or printers, make sure that you replace any default password on the product with a unique password immediately.

Which brings us to another point. Never use the same single password to protect all the systems in the office. This introduces what’s called a “single point of failure.” If a hacker cracks that one password, he’s got a free ticket to the entire computer network.

The Federal Trade Commission (FTC) gives this example:

To access the corporate network, a business allows employees to type in their username and a shared password common to everyone who works there. Employees are also allowed to use that shared password to access other services on the system, some of which contain sensitive personal information. The more prudent policy would be to require strong, unique passwords for each employee and to insist that they use different passwords to access different applications.

Passwords should be complex as well as long. Use capitals and lower-case letters, numbers and special characters (!, @, #, $, %,& *, etc.).

Store Passwords Securely

A well-trained workforce is frequently the first line of defense against data thieves. Even strong passwords are ineffective if they are shared among users – or to outsiders. Employees should be trained not to disclose passwords in response to phone calls or emails, including ones that appear to come from a coworker.

The FTC also stresses that passwords should be stored so that a lucky guess by a hacker doesn’t result in a payday:

A compromised password poses a particular risk if it can be used to open the door to even more sensitive information—for example, a database of other user credentials maintained on the network in plain, readable text. Make it difficult for data thieves to turn a lucky password guess into a catastrophic breach of your company’s most sensitive data by implementing policies and procedures to store credentials securely.

Also, ensuring that your software systems lock out a user after a certain number of unsuccessful login tries will help guard against “brute force” attacks. This sort of attack uses an automated program to run through possible password possibilities in a matter of seconds.

Stronger Than Passwords Alone

Today, two-factor authentication has become the standard for logins. Usernames and passwords are entered as before, but the user is also sent an authentication code (usually texted to the cell phone number on record in the online account) that must be entered by the user to prove their identity.

The FTC offers this variation on that theme:

A tax preparation company requires that customers use strong passwords to access their accounts online. But given the highly sensitive nature of the information in its possession, it decides to implement an additional layer of security. The company uses a secret verification code generated by an authentication app on the customer’s smartphone and requires the customer to enter that code and use their strong password for access. By implementing this additional protection, the tax prep company has bolstered security on its site.

The message for businesses from the Federal Trade Commission is to think through your password and authentication practices. Today’s threats demand that we use passwords that are stronger and more complex in order to adequately protect the sensitive data that drives the income tax industry.

Bob Williams

Forget genes; I’ve got words in my DNA. Communication has been part of who I am nearly all my life. From a long career in radio news to another one in newspapers – and a University of Georgia journalism degree sandwiched between the two – language has been my life. I’ve also been fortunate to have learned the tax business from the ground up here at Drake, starting with 1040.com online forms some years ago before moving on to work on the Web. In all things tax-ish, we aim to give you tools you can use.

comments powered by Disqus