TigerDirect.com's "Improved" Security Policy

While checking my email this morning, I suspected that yet another message eluded my SPAM filter.  Much to my surprise, the subject line "Your TigerDirect Account Update" from 'TigerDirect@promo.tigeronline.com' was legitimate.  Unfortunately, reading the message was more troubling than the contents of many other SPAM messages I routinely receive.  Within this message, I'm told that "in an effort to improve security, we have eliminated certain previously allowed characters for use in the creation of a password. (Example: ><@')." What's even more troubling is the next line: "Our records indicated
that one or more of these characters were used in your password."
  As
indicated by their "records," it's apparent my password is stored
as plain text or, at a minimum, in a state that can be reversed to
reveal the actual password composition.

Click on the thumbnail below for the full message:

 At first glance, there are several things wrong with this scenario:

  1. This email correspondence actually alerts users to the fact that the security level has been reduced, not "improved" or otherwise strengthened.
  2. Secure storage of confidential or sensitive information (in this case "password") is absent or inadequately implemented.  If any attacks are successful and allow access to the main "records" repository, user information is vulnerable to compromise.  If this is incorrect and all information really IS stored securely, I'd like to know how my password was deemed "non-compliant" with the "improved" security policy.
  3. After resetting my password, it's apparent that there is no password policy (beyond 4-12 characters).  The user is permitted to supply the password "pass" with success.
Suggested Password Policy Improvements for TigerDirect.com:
  1. First and foremost, store sensitive information as a hashed value; never store sensitive information as plain text.
  2. Enforce the use of secure passwords using the following criteria:
    • Minimum password length between 7-12 characters.
    • Set a minimum number of occurrences of Upper- and Lower- case characters.
    • Set a minimum number of occurrences of numeric and special characters.
  3. Implement an incremental delay or temporary account suspension period after a series of unsuccessful login attempts.
Of course, bridging the gap between a good security practice and usability has its limitations, but the absence of a defined password policy is always an incorrect answer.  A hybrid approach to the above guidelines is the best measure between human convenience and security.  Hopefully TigerDirect.com will recognize the alarming security practices present in their current password policy and the reader will proceed with caution while using websites that practice unsafe security practices.

Resources:

"Preventing a Brute Force Attacks"

http://www.spidynamics.com/spilabs/education/articles/brute-force.html

"Selecting Secure Passwords" (While this link mainly applies to OS password policies, the general theory is the same).

http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx 

 

 

Comments
(anon) | ‎07-27-2007 02:42 PM
Hello,

Thanks for the heads-up on this. I've done the prudent thing and requested that TigerOnline delete my account and suggest that others consider doing the same. If enough people do this, then Tiger will get the message.

Best regards,
Tom
(anon) | ‎08-23-2007 07:41 AM

This morning I logged into a major U.S. bank that holds most of my money, and I decided it was time to

(anon) | ‎04-19-2008 09:16 PM

are you smarter than a 5th grader?

president george bush i drink your milkshake

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation