Tuesday, May 7, 2013

So Long and Thanks for All the Passwords!

   If you've been following any online news lately you read about the recent Living Social breach.  They reported "unauthorized access" of their systems resulting in a download of customer data including name, email address and encrypted passwords.

   We have heard of many similar instances over the past few years.  I've written about this in previous posts and will be giving a talk at Secure360 in St. Paul, MN in a couple of weeks talking about authentication and passwords.

   In their defense, Living Social did do a couple of things well.  First of all, fortunately, they did store only encrypted passwords.  Unfortunately many organizations don't.  Unfortunately they used an older, weaker encryption algorithm.  And, of course, unfortunately they got breached and had the file downloaded.

   Fortunately, they did a nice job in notifying customers.  Fortunately, they expired all passwords and forced everyone to set a new password.  Unfortunately, you need to log in with your old password first.

   But, perhaps most unfortunate of all, is the potential for password reuse to be exploited.  The attackers know there's a very good chance that many people will use the exact same username/email-address plus password pair at other sites.

   As I discussed in this post a few months ago, most users have accounts on 25 different online sites, but use only 6.5 different passwords.  So the odds are pretty good that the hackers will find another site on which some of these passwords have been reused.

   The attackers know that passwords at the Living Social site will be changed.  However, if they try these ID or address plus password pairs at some of the major online banking sites, Amazon, Google, iTunes and other e-commerce sites, they are bound to have some success.  And we don't want them to have success.

   So, as I've said in the past and will say in the future (because this problem isn't going away anytime soon)...
  1. choose good long passwords (long sentences are just fine)
  2. use a password vault, and
  3. use a unique password at each online site.
  4. (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!)
   If you need to change passwords at your sites to make this happen then do it!

No comments:

Post a Comment