One of the most commonly used and well recognised security mechanisms the world over is the ‘Password’. In spite of the overwhelming use of passwords on the frontline help secure systems and devices around the globe, passwords are still, in significant numbers, being created, stored and managed poorly.
This is evidenced by what seems to be a near constant stream of reports of compromised and stolen passwords. The latest incident report to make mainstream headlines and begin trending on social media is the release of a massive number of account details (over 68 Million according to some sources, or approximately 2/3rd of the customer base at the time) for the popular cloud storage site Dropbox. This incident is a perfect example and timely reminder for all those with password protected accounts (i.e. Everyone).
Despite the initial data-breach occurring in 2012 it is only within the last few weeks that the account details that were obtained by the unknown malicious party were leaked. The compromised account details included passwords linked to email addresses, stored using a pair of encryption methods (Dropbox had updated some of its encryption used around the time of the breach but it appears it was not applied on accounts created prior to the update), one of which is woefully inadequate in today’s security environment.
The SHA-1 encryption (the weaker of the two used on passwords obtained during the breach) is on the chopping block at the end of this year, having been disparaged by vendors including Google and Microsoft due to identified “Significant Mathematical Weaknesses” that would enable it to be compromised without excessive effort. It is subsequently being replaced by SHA-2 and other superior encryption methods, although this will be of little comfort to those with passwords that were ‘protected’ and stolen while using SHA-1.
It is estimated that around 36 million of the accounts compromised had their passwords stored under SHA-1 encryption. As such Dropbox has been urging users to reset their passwords to prevent them being used for unauthorised access to Dropbox accounts. This however does not help those users who may have, despite the urgings of countless security bulletins, used the same password (or slight variations on the same password) across a variety of accounts.
This however does not help those users who may have, despite the urgings of countless security bulletins, used the same password (or slight variations on the same password) across a variety of accounts.
When the data breach occurred in 2012 it was reported that only user names and emails were compromised, not passwords. The omission of this information in the breach report may have caused users to defer changing their password at the time. As such, various repositories of information were put at risk if the same password was being used across multiple accounts.
The key lesson here is that security breach reporting from online suppliers may be ineffective, either through deliberate concealment to avoid reputational damage, or through poor practices; it may also be or completely non-existent in the worst case. As such users should be seeking to be proactive in protecting their personal account details, regardless of the information communicated by affected entities.
users should be seeking to be proactive in protecting their personal account details, regardless of the information communicated by affected entities.
The use of varied complex passwords across accounts will help significantly in limiting the impact of breaches like the one identified in this article, especially as it is highly likely that the average internet user will have their details compromised at some point in the future (if they haven’t been compromised already).
Password management tools have emerged as one of the best ways to help secure accounts by using complex and random near un-guessable passwords. They also help to eliminate the need to remember each individual password for every user account, and only the master password to access the manager itself is required to be committed to memory.
Password management tools have emerged as one of the best ways to help secure accounts by using complex and random near un-guessable passwords.
The use of a such a tool can help provide a solid frontline of defence for your accounts, and a brief Google search will net a variety of free and pay-for-use password managers. The cost of losing several important accounts due to weak and shared passwords can far outweigh the cost (in time and effort more often than not) of implementing such a tool.
The cost of losing several important accounts due to weak and shared passwords can far outweigh the cost (in time and effort more often than not) of implementing such a tool.
Interested in seeing if your email address(es) have been listed as part of a major breach? Click here to check.