
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What are best practices for secure password distribution after a data breach?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What are best practices for secure password distribution after a data breach?

EXPERT RESPONSE FROM: David Griffeth, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 07 November 2008
Our enterprise recently had a breach and had to create new user IDs and passwords for many users. What's the most secure way to inform the users of these new IDs when email is so inherently insecure?

Creating new usernames after a breach provides little assurance that the breach won't happen again and takes a significant amount of time and energy; it also creates a variety of gaps, such as tying data from the old account activity to the new. There should be a standard for usernames across all systems and applications. I would recommend using employee identification information, such as first name and last name or an ID number you associate with each employee for HR purposes. This will have the added benefit of simplifying the termination process as well.

The proper response and secure distribution strategy following a username and password hack would first be to disable all of the accounts that may be compromised and reset the passwords to meet stringent complexity requirements. Next put your team's forensic skills to work to determine -- with certainty -- how the enterprise's security controls were breached. Then present those findings to management and present a plan to modify those controls or implement new ones to mitigate the risk going forward.

Changing and increasing the complexity of a password significantly reduces the likelihood of the account being hacked, but only if you've already determined how the original compromise was achieved and appropriately responded to it.

For more information:

Learn how to prevent SSH brute force attacks that can compromise passwords.
Be prepared for security breaches with security breach management planning and preparation.

BROWSE BY TAG

Identity Management and Access Control, Password Management and Policy, Enterprise Identity and Access Management, Identity Management Technology and Strategy, Enterprise Data Protection, Identity Theft and Data Security Breaches, Disaster Recovery and Business Continuity Planning, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	Is Identity Management as a Service (IDaaS) a good idea?
	How to log in to multiple servers with federated single sign-on (SSO)
	How to confirm the receipt of an email with security protocols
	Learn about enterprise strategy for server virtualization single sign-on
	Employee information security awareness training for new IAM systems
	Can you combine RFID tag technology with GPS to track stolen goods?
	Is there a free enterprise-caliber password-management tool?
	Cryptosystem attacks that do not involve obtaining the decryption key
	Can any firm or organization get a digital signature certificate?
	Should the CTO have domain administrator access?

Password Management and Policy

Two-factor authentication, vigilance foil password theft

Group to shed light on secure identity management threats

Brute force attacks target Yahoo email accounts

Best Identity and Access Management Products

Privileged account management critical to data security

Making the case for enterprise IAM centralized access control

How to prevent brute force webmail attacks

Best practices for a privileged access policy to secure user accounts

Mature SIMs do more than log aggregation and correlation

PCI compliance requirement 2: Defaults

Identity Theft and Data Security Breaches

Chip and PIN adoption serves lesson for U.S. payment industry

Group to shed light on secure identity management threats

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Visa probes tokens, encryption for PCI card data protection

University data breach exposes 163,000 women to identity theft

TJX thrives following breach, bucks sour economy

Security expert's PCI analysis misguided, says PCI Council GM

External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

graphical password (SearchSecurity.com)

identity chaos (SearchSecurity.com)

logon (SearchSecurity.com)

masquerade (SearchSecurity.com)

OpenID (WhatIs.com)

salt (SearchSecurity.com)

session replay (SearchSecurity.com)

single-factor authentication (SFA) (SearchSecurity.com)

TACACS (SearchSecurity.com)

war dialer (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy