Following the news about Amazon’s reported reset of customer passwords found online associated with other sites (but not with Amazon), IT security experts from Balabit, Prevoty, STEALTHbits and VASCO Data Security commented below.
Péter Gyöngyösi, Product Manager of Blindspotter at Balabit:
“What’s interesting in Amazon’s action is that it is probably one of the first cases when a large online company takes a proactive measure in resetting passwords. It wasn’t them who got hacked, but they still cross-validated the leaked credentials with their own records and when they found a match they took action. Their letter is vague about whether they in fact knew that the person’s Amazon password was also on the list, or the only thing they saw was the email address and a bunch of passwords. The former, verifying the leaked passwords against their own database and only resetting them when there’s a match, is a risky move, because in this case essentially they would be the ones who confirmed that that their users’ passwords are indeed reused between accounts, which can be valuable information for hackers by itself. The latter case, on the other hand, can be annoying for users who apply due diligence and don’t reuse their passwords.
“Either way, the grim reality is that most people today do use the same easy-to-guess password for all of their accounts, which is a huge security risk. On the end-user side, the solution is to start using one of the many great personal password managers available out there and enable multi-factor authentication wherever it’s possible. And the operators of these services must start to enable multi-factor authentication, using single-sign on services and start to perform a continuous, ongoing analysis of the users’ behavior to identify unusual actions to complement their one-off authentication at the beginning of a user session.”
Kunal Anand, Co-Founder and CTO at Prevoty:
“It’s fantastic to see companies like Amazon being progressive about password management. Until everyone moves to a password manager and has unique passwords for every account, there will always be password re-use. By scanning open paste bins, code repositories and sites for passwords, Amazon can potentially get out in front. It’s a win/win for both Amazon and customers. Amazon can potentially reduce costs associated with fraud while customers get security awareness. Given that there are open source tools to look for account dumps on the web, more security teams at companies should and can do this.”
Brad Bussie, CISSP, Director of Product Management at STEALTHbits:
“Praise Amazon! This act is exactly what organizations need to do to look out for their customers. The fact that Amazon itself wasn’t compromised but was able to compare account details in its own database to those that were available online is a shining example of proactive cyber security. All too often, we are in a constant state of reactivity. Thanks to Amazon for leading by example and having its customers’ interests top of mind. The bottom line is we need more gestures of good will in cybersecurity to help prevent the next breach.”
John Gunn, VP of Communications at VASCO Data Security:
“This is an incredibly smart move – it essentially says that even if your other online providers won’t protect you, we will. Amazon again demonstrates their innovative mindset and customer-first business philosophy.
“It also underscores the inherent vulnerabilities of 30-year password technology and the need to move to multi-factor authentication, which is far more secure and easier for consumers.”