We need a standard for database password security disclosure

We need a standard that adds a requirement to inform the user of how their data, especially their password, is stored in a database.

Most data is commonly stored in plain text. The only data that is usually not in plain text is the password, which is often stored using a cryptographic hash. However, plenty of systems store the password in plain text as well.

Imagine filling out a registration form with a username and password and some peronal data and clicking submit. What if the submit process had a confirmation screen that told how your information is stored in the database. For example, a site might say that the password is stored in plain text with a little “what does this mean” link and you are asked “Are these security needs sufficient?”.

If such a pop-up were required a number of things might happen:

  1. The individual registering may choose not to use a site with such blatant disregard for security.
  2. The individual registering may choose to use the site anyway but…
    1. Use a password that they isn’t used for more secure sites.
    2. Not enter all the information (for example, if a site is not trusted I often put just my initials for first and last name.
    3. Use all false information

Almost no site provides the security information of how data is stored. Because of this, we need a personal data storage standard. Think of your personal data as related to healthcare where standards such as HIPAA already exists and already have security requirements. However, we need a standard that is more general. This is not and RFC or IEEE standard. It is more of an ISOC standard. I would say a government standard would work, however, the internet is fairly global and so it would a multi-government standard.

Digital Information Security Act (DISA)

We need a Digital Information Security Act (DISA). DISA would have rules and regulations and companies over time would start to comply. Just as we have well-known cryptographic algorithms, we would soon have well-known secure data storage methods.

(For a laugh: I first thought to call it the Personal Information Security Standard, but that acronym wasn’t very good.)

I was not surprised that British Columbia has a Personal Information Protection Act already but it hardly addresses the security of digital storage of personal data. However, it is more about how personal information is used, not about how it is securely stored in a database. I saw many privacy acts that have been implemented by various governments. However, most are in desperate need of an update adding rules from the digital perspective.

I want to focus on a rule about passwords that DISA should have.

Problems

Your personal data is your own. There are number of security issues if you lose your personal data. Your personal data includes any data that is connected to you. We are going to talk about two types of data here.

1. Your real identity

Your personal information is not really changeable. Your name is your name. Sure you could have a name legally changed, but aside from that, your name is static.  Your address and phone number are usually static but changeable over time.

2. Your online identity

This usually means your user name(s) and password(s), which are completely different from your real identity. Your online identity is dynamic and you can have many of them and use different ones on different sites. You can usually change them at any time.

Security Issues

Example Issue 1 – Identity theft

With enough of your personal information a person can pretend to be you. Steeling your identity to use it fo fraud, slander, theft, and much more.  Sensitive personal data, such as driver’s license, SSN, and identifiers should remain protected and secure.

There are many security issues, let me give a couple of examples, but there are many more.

Example Issue 2 – Security of your passwords

Since your username is not exactly secure and is easy to get, your password must be secure. Most people use passwords for multiple sites. Many sites now support authentication using a connection to another site such as OpenId, Yahoo, Google, Facebook, twitter, etc. If you password to one site is found, it is very likely that your password can be used on multiple sites.

Could you imagine someone obtained a password and you also use that password for you bank account. Yes, they could empty your account and the money could be gone and untraceable before you know it.

How your password is stored in a database is extremely important. If the password is in clear text or stored using an easily cracked hash, then your security risk is high.

First, the technology administrators such as the database administrators and others would already know and have access to your password. We usually trust “admins” and usually our data is not used in an incorrect manner, but that is not always the case, and you are vulnerable.

Second, if the database was stolen then your password is now in the hands of someone who does intend to use it maliciously.

Example Issue 3 – The real identity to online identity map

Your real data is easy to get. Knowing your first and last name is almost a non-existent security concern. Such information is in the phone books (or online phone books such as DexOnline) and in your year books and spread around records all over the world. Very few people care to secure their first and last names.

Your username is not really secure either. Usually sites provide any member the rights to see the user names of other members.

However, the connection between a real identity and online identity is a security concern.  Should “just anybody” know that bob123 is Bob Robertson? No they shouldn’t. Why? Because if someone wants to target Bob Robertson, they should not easily know that they bob123 is their target.

Lets look at a real identity to online identity map.

Real Identity Sites Online Identity Encrypted
Bob Robertson twitter.com user: bob123 pw: passwd123 yes
facebook.com user: bob123 pw: passwd123 yes
google.com user: bob123 pw: passwd123 yes
yahoo.com user: bob123 pw: passwd123 yes
Forum123.tld user: bob123 pw: passwd123 no
ABCBank.tld user: bob123 pw: passwd123 yes

For now, let’s ignore the fact that Bob made a crucial mistake of using the same username and password for his bank because a large number of the population does this.  Instead, lets focus on the result of losing your password for any accounts above.

Scenario

This is an example of scenario that describes issue 1 and issue 2. Lets say cyber thief plans to steal money from Bob’s bank account. How secure is Bob’s account with ABCBank. ABCBank surely has some great security. Unfortunately, Bob’s account is only as secure as the least secure site for which Bob has use the same account. Because the cyber thief knows that Bob Robertson is bob123, the thief now has half the information needed to get into Bob’s bank account. Next the thief can first finds all the sites where the username bob123 exists and assume that they are Bob Robertson. Then the thief can try to compromise the password at the easiest site. In the above case, the easy site to compromise is forum123.tld. The thief successfully determine’s Bob’s password at Forum123 and tries the password on a number of banks that have a brick and mortar building near Bob’s house. ABCBank is one of them and the credentials work.

At this point there are any number of ways that money can be stolen from Bob’s bank account.  Of course, no one should ever have the same username and password for their bank accounts as they do for everything else. There are actually three clear security levels and a user should have a different password at each level.

twitter.com medium
facebook.com medium
google.com medium
yahoo.com medium
Forum123.tld low
ABCBank.com High

However, let’s say Bob is not very computer literate and doesn’t even know that he should have different user names and passwords at each security level. Shouldn’t each site at least tell the user their security level and suggest to the user that they don’t use the same username and password for site with different levels of security?

Now how can we help solve some of these issue with our new DISA standard?

DISA Rule #1 – Disclose your security level

Now, imagine when Bob registered for Forum123.tld, he got a popup as follows:

This site stores the password in clear text and implements little to no security. It is not recommended that you use the same password on this site as you do for more secure sites (such as bank accounts). Would you like to continue or would like you like to use a different password?
[ Continue ] [ Use a different password ]

Were this popup to become a standard and were it implemented on almost every site, this popup would help a large portion of the population improve their username and password security issues because they would know whether their password is encrypted or not.

However, it would likely also improve the sites security because a web site administrator would work to use an well-known authentication library to become DISA compliant and because they now use a well-known authentication library, they will have access to its additional security features such as cartographic hashing of passwords and the site would likely become more secure as well.

Implementation and Enforcement

So lets say we created DISA and we created this password security disclosure rule. How could we enforce it?

Enforcement by Business Entities

Security conscious entities are already enforcing security standards such as Payment Card Industry (PCI) compliance rules for taking credit cards. Banks and credit card vendors have security requirements you must meet before they allow you to use your merchant account to take credit cards online.

However, this is not the focus of where it should be enforced. It should be enforced most on the small sites that are not very secure.

Enforcement by the Government

This is probably not a good solution. So many small one person blogs and other sites pop up each day it would be impossible for a government entity to monitor and enforce this.

Enforcement by Browsers

This is actually the perfect place to enforce this. Almost all browsers can detect when you are filling out a registration form that includes a password. The browser could intercept the submit and perform the popup using a combination of information, some hard-coded in the browser (so websites can’t fool the user) and some gather from the web site itself. I

Conclusion

How a digital information, especially a password, is a huge security concern and standards and well-known practices should exist to help both the security minded as well as the uneducated to maintain a higher state of security.

Leave a Reply

How to post code in comments?