Does a reported theft of a billion or more passwords from hundreds of thousands of websites matter? Not necessarily, an IT security figure has suggested.
Gavin Millard, EMEA technical director, Tenable Network Security said that it shouldn’t matter that hackers stole your password to a forum you frequent. But, the fact that many users apply the same password for every internet service they use means the impact of this hack will be significant, he added. He said: “Don’t change your password in response to this, change your password habits by using a password manager which will enable you to have individual password per site you use, thus limiting the impact of any attack of this nature.“
Mark James, security specialist at ESET, spoke of the need for companies to inform their users as soon as possible if they think their servers have been compromised as a computer user’s only defence is using different information online.
“The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”
Geoff Webb, senior director, solution strategy at NetIQ, suggested that we are reaching the end of the usable lifespan of the username and password combination to IT security. He said: “The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user. People don’t want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security it’s unsurprising we keep seeing the same results – weak passwords, reuse of passwords and breaches that cascade to many sites.”
He contrasted the reported case in August of a hacker group stealing perhaps a billion passwords with the recent US case of Target, where a breach saw credit cards details stolen from a retailer. “Small groups of hackers are able to perpetrate this kind of immense data theft because there is already extensive information available to assist them in navigating to vulnerable systems around the globe – hackers have mapped the internet to a high degree of accuracy and that information is readily available. Furthermore, the advent of cloud computing presents these hacker groups with massive compute power on tap for low cost. They can use botnets to identify and attack sites, cloud compute resources to crunch the resulting data, and remain under the radar the entire time.”
As for our personal or business protection of passwords, he said organisations don’t always protect passwords as well as they should – either using weak hashing algorithms, unsalted hashes, or in some cases, not even protecting the passwords at all. “Many companies don’t enforce good password policies, and users employ poor password hygiene – reusing the same passwords in multiple places – meaning that any single username and password combination could present an open door to many sites.”
Brian Spector of CertiVox said that the wider security industry ought to take another look at the methods that they employ to secure services and data. Consumers are prone to using the same password for multiple accounts which means that the risks posed by this particular data loss are wide ranging, he said. “Businesses are appearing increasingly desensitised to these repeated attacks, but they need to know that there are other means of authentication that can offer a way out of this cycle of hacking. Government organisations, businesses and other bodies need to identify new ways to secure data, or they will face more of the same problems in the future and an increasing consumer backlash as crucial details are stolen and used for criminal gain.”
