After Dropbox accounts have reportedly been compromised by leaked user names and passwords from other websites, vendors have claimed that it’s another nail in the coffin of the password.
Comments
Intercede CEO Richard Parris said that the the inherent limitations of the username/password system, combined with lax security habits, are endangering consumers’ valuable digital assets. He said: “In Intercede’s recent study The Rise of the Identity Centric Economy, these poor habits were painfully illustrated, with 60 per cent of UK consumers confirming they only used passwords they could ‘remember’. This implies these passwords are weak and likely to be used as credentials to access a number of websites and online accounts.
“Just as concerning was the number of people who admitted to knowing other people’s log-in details, with almost 30pc of consumers admitting to knowing a friend, relative, partner or work colleague’s passwords. There is clearly a need for increased consumer education and a wide-scale use of more robust security solutions. Every high profile breach is another nail in the coffin for the humble username and password system, as public awareness grows that passwords are simply not up to the task of securing people’s digital assets in the modern world.”
Tim Erlin, director of security and risk at Tripwire said: “If you are storing important data in Dropbox, enable two-factor authentication right now. This kind of compromise is a bigger problem than most organisations realise. Businesses should be identifying users in their environments who have Dropbox installed on their systems and either forcing them to remove it or enable two-factor authentication. Services like Dropbox provide a valuable service, but they also provide a back channel file sharing mechanism for business users when IT isn’t meeting their needs. That means that uncontrolled, often forgotten, sensitive data is being stored outside of policy and corporate protections. If you don’t have visibility into who in your environment is using services like Dropbox, you are at risk.”
Jason Hart, VP Cloud Solutions at SafeNet said: “Attacks like these demonstrate that, ultimately, the only way that we can stop or prevent password-based attacks is by the use of multi-factor authentication. Unless companies can categorically say they are doing this, then they will always be open to password-based attacks – whether it actually happened or not. Users also need to ensure that they do not use the same passwords across various accounts, as this can increase the risk of multiple accounts being affected by hackers. Companies also need to change their mind-set about data breaches, to understand that it’s no longer a case of ‘if’ but ‘when’ they might be breached. Our Breach Level Index revealed that in Q2 2014, less than one per cent of all breaches were ‘secure breaches’ – where data stolen had appropriate controls and protection around it. This emphasises the importance of tools such as encryption and key management to keep data protected. So that if a breach occurs, customers can be safe in the knowledge that their data remains protected.”
Silvio Kutic, CEO at Infobip, said: “As the latest household name to experience a password breach, it’s understandable that Dropbox is touting the fact it now supports two-factor authentication. But this event is far more significant than those in recent weeks, as it demonstrates the importance for all online services to offer two-factor authentication. Now, not only is it essential to protect users from data breaches that happen on company servers, it’s also necessary to protect them from their own habits and behaviours.
“Most of us use the same password for all our accounts, from social networking to banking. If a hacker can get hold of a username and password for one website, and the affected user hasn’t protected their other accounts with two-factor authentication, then it is likely those same details will work in a number of other places, too.
“Even though most cloud storage providers like Dropbox, retailers, and social networks offer two-factor authentication for this reason, most users are unaware of it. There is no doubt that two-factor authentication ticks all the right boxes for a consumer-friendly answer to the security challenges faced by today’s online players, but incorrectly implementing 2FA or providing consumers with an overly complicated authentication process will not have the desired effect. The extra layer of security simply won’t be used.
“In this respect SMS-based 2FA is the best approach. Rather than relying on an authenticator app or additional hardware like a key fob, SMS-based 2FA can turn any mobile phone into an extra layer of security.”
And Clair Galbois, director of cloud solutions at Accellion
“With private cloud file sharing, enterprises retain control and ownership of their data and the encryption keys to access that data. This means that the enterprise organisation is in control of who can access that data including any government agency that requests information or metadata. Dropbox’s public cloud architecture is a large obstacle to winning enterprise deployments.”
