New Password Policy for a B2B Platform
Ensuring Security with New Rules for Editing and Creating Passwords
Image generated by Dall-E.
Working in a large company requires awareness of aspects that most companies may not consider on a daily basis. One aspect I had to learn to manage was security: our database contained the sensitive data of thousands of clients. During one of the frequent penetration tests (Pentests) conducted by our Security Team, vulnerabilities such as weaknesses in user passwords were uncovered.
What Was The Problem?
For those unfamiliar with the term — as I once was — a Pentest is “an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system,” according to Wikipedia.
The test revealed that unauthorized parties could easily access the system's features and data. In one incident, an unhappy employee hacked into a supervisor's account and posted several accusatory messages against the company. These messages were seen by nearly all users at the time, and the Customer Success Team struggled to mitigate the resulting client discontent.
Our product team was tasked with addressing this significant issue as a matter of urgency. Naturally, it was a high-priority project.
Main Issues
Given the limited time to resolve the most critical security issues, a quick assessment led us to identify the main problem: users' weak passwords.
Bulk password creation — Our biggest clients, which were large companies, often created accounts for their collaborators using a common password to save time.
Flexible Password Requirements — The only rule for password creation was a minimum length of four characters; there were no other security measures in place.
Persistent Access — Once a user logged in for the first time, their access would not expire on any device (web and mobile), persisting even after password changes.
What Did We Build?
As the Product Owner of that product, I had to consider the whole picture:
We needed to address these vulnerabilities before the next Pentest. The most straightforward solution was to secure individual user access on multiple devices.
Many users had adopted the 4-character passwords likely issued by their company.
With the platform undergoing a rebuild and redesign, it presented an opportune moment to introduce a new feature that aligned with the refreshed company identity.
Solution
After careful analysis, we determined our main goal was to enforce stronger password practices among users.
The features we developed included:
An updated login page that allows users to sign in with an email and password or via a Google Account for convenience.
Enhanced password criteria, mandating a minimum of six characters, including at least one uppercase letter and one special character, to improve password strength.
Periodic termination of all user sessions across devices, necessitating users to re-login, thus reinforcing security.
Guiding metrics
50% of users adopting a strong password within six months.
Penetration tests showing 65% fewer security vulnerabilities.
Tools used
Figma: Utilized for brainstorming, creating wireframes, and prototyping.
Jira: Served as the task board for project management.
Notion: Acted as the principal tool for ideation and the repository for product documentation, including the Product Requirement Document (PRD).
Teams: Functioned as the primary communication channel for the team.
My role as Product Owner
In summary, my role was ensuring the successful development and implementation of these new password policies, enhancing the security of the platform, and protecting sensitive client data. It was necessary to have strategic thinking and effective stakeholder management.
Key Responsibilities
Strategy: understanding the security vulnerabilities identified through Pentests and help define a strategic approach to address these issues effectively.
Stakeholder Engagement: I gathered requirements, and ensured stakeholder expectations were managed throughout the project lifecycle.
Feature Definition and Design Oversight: I collaborated closely with UX/UI designers, utilizing tools such as Figma, to design a new login interface that incorporated the enhanced password requirements while aligning with the company's new identity. I helped ensure the design was user-friendly and met the security objectives.
The Final Product
Dual Authentication Options
A traditional email and password entry point.
Social login, offering users the convenience of logging in with existing Google, or other accounts, streamlining the authentication process without compromising security.
Enhanced Password Policy
The new policy is visibly communicated to users during the account creation or password reset process.
Passwords now require a minimum of 6 characters, incorporating both letters, special characters, and numbers to bolster complexity and strength.
Session Management
An implemented feature to periodically end user sessions across all devices, requiring re-authentication. This measure not only ensures the integrity of user sessions but also mitigates the risk of unauthorized access from forgotten active sessions.
The implementation of these features significantly strengthened user account security and established a new benchmark for data protection on our platform. The revamped login interface has markedly decreased vulnerability to breaches, strengthening client confidence and securing vital data.
As this feature was developed for a private company, the real images cannot be shown. But, as an example, I will use similar interfaces that match what was built:
