Manage

What are best practices for secure password distribution after a data breach?

After an information security data breach, it might seem like a good idea to create new user IDs and passwords for all employees in the user directory. But is there an easier way to handle the aftermath of a data breach? Find out more in this IAM expert response.

Our enterprise recently had a breach and had to create new user IDs and passwords for many users. What's the most secure way to inform the users of these new IDs when email is so inherently insecure?

Creating new usernames after a breach provides little assurance that the breach won't happen again and takes a significant amount of time and energy; it also creates a variety of gaps, such as tying data from the old account activity to the new. There should be a standard for usernames across all systems and applications. I would recommend using employee identification information, such as first name and last name or an ID number you associate with each employee for HR purposes. This will have the added benefit of simplifying the termination process as well.

The proper response and secure distribution strategy following a username and password hack would first be to disable...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

all of the accounts that may be compromised and reset the passwords to meet stringent complexity requirements. Next put your team's forensic skills to work to determine -- with certainty -- how the enterprise's security controls were breached. Then present those findings to management and present a plan to modify those controls or implement new ones to mitigate the risk going forward.

Changing and increasing the complexity of a password significantly reduces the likelihood of the account being hacked, but only if you've already determined how the original compromise was achieved and appropriately responded to it.

For more information:

Learn how to prevent SSH brute force attacks that can compromise passwords.
Be prepared for security breaches with security breach management planning and preparation.

This was last published in November 2008

Dig Deeper on Password management and policy

Google expands multiple Chrome password protection features Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company.

Equifax lawsuit offers more evidence against passwords Equifax’s internal security policies were a mess and directly led to one of the largest recorded data breaches in history, according to a lawsuit, demonstrating fundamental insecurities inherent in the use of passwords

Leaked Sephora databases peddled on dark web Cyber security firm finds two databases likely to be related to the Sephora data breach that affected online customers in Southeast Asia, Australia and New Zealand

2019 data breach disclosures: 10 of the biggest -- so far Enterprises have disclosed a number of significant data breaches in the first half of 2019. Here's a look at some of the biggest and most notable breaches so far this year.

Data breaches in Australia show no sign of abating Australia’s privacy watchdog recorded over 800 cases of data breaches, nearly one year into the country’s mandatory data breach notification regime

Collection #1 breach data includes 773 million unique emails Have I Been Pwned added a new trove of 773 million unique emails and 21 million passwords -- known as the Collection #1 breach data -- but there are questions about the freshness of the data.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Please create a username to comment.

McAfee launches security tool Mvision Cloud for Containers

How to implement zero-trust cloud security

AWS Access Analyzer aims to limit S3 bucket exposures

Consider these 5 FAQs for network monitoring best practices

Cisco's Silicon One networking chip targets cloud data centers

7 factors to consider in network redundancy design

Transforming operations for successful cloud adoption

IT workforce skews younger, says analysis of US data

Top edge computing trends to watch in 2020

How to shut down and restart a remote computer

Setting up Windows 10 kiosk mode with 4 different methods

Microsoft extends Office 365 benefit to nonprofit volunteers

The future of the Kubernetes ecosystem isn't all about cloud

Evaluate general and niche cloud service use cases

Compare niche cloud services to the hyperscale offerings

Alarm bells ring, the IoT is listening

New government faces calls to urgently deliver on pre-election pledge to review IR35 reforms

Future fashion: does that dress come in digital?

Dig Deeper on Password management and policy

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.