Beefing Up Security in Database Logins
We are increasingly reliant on data and databases to run our lives and our businesses. The recent security breaches at Optus and Medibank, and the increasing number of ransom attacks, have understandably raised concerns for a lot of people about the security of their data.
At Optus, the data breach was through an unprotected API that was open to the public. The API did not require a username and password which meant that anyone that knew the address of the API could connect to it without authentication.
At Medibank, it was the theft of a single user’s credentials which were then sold on the dark web and used to download millions of very personal records.
, one of our long-standing clients, contacted us recently to see how they could increase their security as part of a security audit they were undertaking.
We have a number of security measures in place which we will go into in more detail in a subsequent post but main concern was the threat of a password attack. This occurs when hackers infer or use social engineering to get a valid login name and then use either dictionary attack or brute force to crack the password.
We ensure all passwords are encrypted on the database to prevent them being seen via a SQL Injection attack or similar. We also ensure users choose strong passwords with a password strength indicator.
To ensure a strong password, you should:
● Use alphanumeric passwords with special characters
● Use at least 10 characters
● Not use it across multiple websites and applications
● Change it regularly
● Not use easily guessable information like birthdays and names
For sensitive information this is not always enough. To take it to the next level many software providers, including us, offer Two Factor Authentication (2FA).
How 2FA works
– When the user logs in for the first they are given a unique QR code
– The user opens Google Authenticator on their mobile phone or device (if they do not have they need to install it from their App or Play Store)
– They scan the QR code from Google Authenticator
– Google Authenticator generates a code that changes every minute
– As an additional level of security, every time the user logs in they need to enter that code after entering their username and password
Two Factor Authentication is increasingly being used on client databases and has recently been turned on for . If you would like to know more about how we can help you store your data securely please get in touch.