Tuesday, May 31, 2016

YAPF (Yet Another Password Fail)

   It's another week and password problems are in the news again!

   In the July 10, 2012 edition of this blog I wrote about the 2012 LinkedIn password breach.  A month earlier, LinkedIn confirmed that a Russian attacker exploited a website vulnerability and downloaded 6.5 million encrypted passwords.  You can read my old post to see why that's a problem.

   Well, some gifts just keep on giving!  Now, nearly 4 years later, a newly posted password dump from this same breach was advertised for sale on a dark web site.  Except that information on over 167 million accounts were for sale!  Of those, over 117 million had both the email and password.  Slightly different math!!!

   So why is this a problem?  Actually it's an old problem and a new problem.  Here are the key issues:
  • Poor password choices - once again, this latest set of stolen passwords shows weak passwords - the top five found passwords were: 123456 (used on over 1 million accounts!), linkedin, password, 123456789 and 12345678
  • Password reuse - since people have accounts on so many sites that need passwords, they tend to reuse them.  The one million people who used 123456 as their LinkedIn password likely reuse that on other sites.
  • Back to Work - are some of these same poor password choices being made on work systems?  Or are some work passwords being used on sites like LinkedIn and potentially included in this breach?
   We've talked about this issue so many times this blog is at risk of becoming the password problems blog!  But passwords are both one of the most commonly used security tools and one of the biggest security fails!  And this issue comes up in mainstream media often so it makes sense for us to discuss it here.

   So what should we do about it?  If you need to use passwords, and you almost certainly do, then here are the key tips to remember:
  1. Choose long passwords - when it comes to passwords, size matters!  Password length is more important than complexity!  You're better off using an English sentence as a passphrase rather than worrying about things like including numbers, punctuation or special characters.
  2. Use a vault - whenever it's available to you, and definitely for all your home/consumer passwords, use a password vault.  The vault makes it easy to use really long AND complex passwords without worrying about remembering them.  Just be sure to choose a really good vault password that you will remember (the one password to rule them all!).
  3. Use 2-factor authentication.  Many consumer websites like Amazon, Google, Twitter and your bank support 2-factor authentication.  I explained 2-factor authentication here and here - it basically uses (typically) your smartphone to add a 2nd login step so that an attacker would have to have both your password and your phone to be able to log into a site.  If you use then and there's a password breach then you're safe.
   At the office: never use your work password on a consumer site, even if your organization buys services from that site.  This includes LinkedIn, Facebook, file sharing (box, dropbox, etc.).  The only exception is if your organization is using something called "federation", but that's another topic for another day.

   We've been hammering on this topic forever and, as has been predicted for 20 years, passwords need to be gone.  Perhaps Google can cover this for us.  They already know everything we do every moment of the day!  I better check with Google to see what I should do next!

No comments:

Post a Comment