Twitter just agreed to settle Federal Trade Commission charges that it deceived customers and put their privacy at risk by failing to safeguard their personal information. Full article here. This is the first case of this kind against a social networking service and it should be a wake-up call to any provider of cloud-based services.
We cloud vendors all face the same challenges as Twitter. Our business consists of managing our customers’ private or personal data. We use dozens of cloud applications to run our business and most of us have no business applications behind the firewall. The average cloud vendor juggles thousands of passwords every day and the average user is not able to remember a dozen strong passwords.
Here is what the FTC said Twitter failed to do in order to protect their users’ data.
- require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks
- prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts
- suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts
- provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
- enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days
- restrict access to administrative controls to employees whose jobs required it
- impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses
None of these precautions seem unreasonable from a security perspective. Yet, people are creatures of habit, busy, forgetful or simply don’t have the necessary tools to assist them in behaving in a secure way. Once you have typed the same password a hundreds times, it becomes a reflex. It’s now something you uncritically do when you see a password prompt.
One of our customers recently performed a phishing test internally to see how many users would enter their password on a fake Google Apps login page. To everyone’s surprise, 27 percent of the tested individuals did just that.
Completely eliminating passwords or using strong passwords are the best ways to avoid a Twitter security blunder, but leaving it up to each individual user is too much to ask. OneLogin’s lets you generate completely random, strong passwords and automates the login process, which has two big advantages. Users don’t need to write down passwords and since they are impossible to remember, phishing attacks are effectively eliminated.