TigerDirect.com's "Improved" Security Policy

Published 26 July 07 11:12 AM | Erik 

While checking my email this morning, I suspected that yet another message eluded my SPAM filter.  Much to my surprise, the subject line "Your TigerDirect Account Update" from 'TigerDirect@promo.tigeronline.com' was legitimate.  Unfortunately, reading the message was more troubling than the contents of many other SPAM messages I routinely receive.  Within this message, I'm told that "in an effort to improve security, we have eliminated certain previously allowed characters for use in the creation of a password. (Example: ><@')." What's even more troubling is the next line: "Our records indicated that one or more of these characters were used in your password."  As indicated by their "records," it's apparent my password is stored as plain text or, at a minimum, in a state that can be reversed to reveal the actual password composition.

Click on the thumbnail below for the full message:

 At first glance, there are several things wrong with this scenario:

  1. This email correspondence actually alerts users to the fact that the security level has been reduced, not "improved" or otherwise strengthened.
  2. Secure storage of confidential or sensitive information (in this case "password") is absent or inadequately implemented.  If any attacks are successful and allow access to the main "records" repository, user information is vulnerable to compromise.  If this is incorrect and all information really IS stored securely, I'd like to know how my password was deemed "non-compliant" with the "improved" security policy.
  3. After resetting my password, it's apparent that there is no password policy (beyond 4-12 characters).  The user is permitted to supply the password "pass" with success.
Suggested Password Policy Improvements for TigerDirect.com:
  1. First and foremost, store sensitive information as a hashed value; never store sensitive information as plain text.
  2. Enforce the use of secure passwords using the following criteria:
    • Minimum password length between 7-12 characters.
    • Set a minimum number of occurrences of Upper- and Lower- case characters.
    • Set a minimum number of occurrences of numeric and special characters.
  3. Implement an incremental delay or temporary account suspension period after a series of unsuccessful login attempts.
Of course, bridging the gap between a good security practice and usability has its limitations, but the absence of a defined password policy is always an incorrect answer.  A hybrid approach to the above guidelines is the best measure between human convenience and security.  Hopefully TigerDirect.com will recognize the alarming security practices present in their current password policy and the reader will proceed with caution while using websites that practice unsafe security practices.

Resources:

"Preventing a Brute Force Attacks"

http://www.spidynamics.com/spilabs/education/articles/brute-force.html

"Selecting Secure Passwords" (While this link mainly applies to OS password policies, the general theory is the same).

http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx 

 

 

Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Tom Brownsword said on July 27, 2007 1:42 PM:
Hello, Thanks for the heads-up on this. I've done the prudent thing and requested that TigerOnline delete my account and suggest that others consider doing the same. If enough people do this, then Tiger will get the message. Best regards, Tom
# The Yeager Report said on August 23, 2007 6:41 AM:

This morning I logged into a major U.S. bank that holds most of my money, and I decided it was time to

Leave a Comment

(required) 
(optional)
(required) 

About Erik

Erik is Sr. Director of Products for the Application Security Center.