A Novel Approach for Protecting Legacy Authentication Databases in Consideration of GDPR

Abstract

The upcoming implementation of the European Union General Data Protection Regulation (GDPR) will require many organisations throughout the EU to comply with new requirements that are intended to better protect personal data. Large increases in responsibility, penalties and fines will place great pressure on organisations to ensure they are compliant and adequately protect user data that is associated with online accounts. Non-compliant legacy databases are those that store authentication credentials in plaintext or utilizing obsolete one-way encryption techniques that fail to adhere to best practice guidelines. Companies who remain reliant on these vulnerable systems will be forced to reconsider and improve their architecture, or risk the exposure of personal data and the debilitating penalties that will also be incurred. Authentication databases are frequently a target of attack as they potentially provide an avenue to commit further, more lucrative crimes. Lacking or substandard implementations have cultivated an environment where authentication databases and the data stored therein are insecure. This was demonstrated in the 2016 exposure of a breach experienced by Yahoo where approximately one billion user credentials were stolen. The global technology company was found to be using obsolete security mechanisms to protect user passwords. This paper offers a novel solution for improving the protection of currently non-compliant legacy authentication databases stored on Apache servers. The method applies best practice mechanisms in the form of salt, one-way encryption (hashing) and iterations to both pre-existing and newly created passwords held within the databases. The proposed solution can be implemented server-side, with little alteration to the existing infrastructure and unbeknownst to the user. It possesses the potential to improve system security, preserve privacy, and aid implementation of GDPR requirements.