Ask the Expert

What are best practices for secure password distribution after a data breach?

Our enterprise recently had a breach and had to create new user IDs and passwords for many users. What's the most secure way to inform the users of these new IDs when email is so inherently insecure?

    Requires Free Membership to View

Creating new usernames after a breach provides little assurance that the breach won't happen again and takes a significant amount of time and energy; it also creates a variety of gaps, such as tying data from the old account activity to the new. There should be a standard for usernames across all systems and applications. I would recommend using employee identification information, such as first name and last name or an ID number you associate with each employee for HR purposes. This will have the added benefit of simplifying the termination process as well.

The proper response and secure distribution strategy following a username and password hack would first be to disable all of the accounts that may be compromised and reset the passwords to meet stringent complexity requirements. Next put your team's forensic skills to work to determine -- with certainty -- how the enterprise's security controls were breached. Then present those findings to management and present a plan to modify those controls or implement new ones to mitigate the risk going forward.

Changing and increasing the complexity of a password significantly reduces the likelihood of the account being hacked, but only if you've already determined how the original compromise was achieved and appropriately responded to it.

For more information:

This was first published in November 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: