Following the news that hundreds of millions of hacked account details from social networks MySpace and Tumblr have been advertised for sale online, IT security experts from MIRACL, AlienVault and ESET provide commentary and advice:
Brian Spector, CEO at MIRACL:
This incident provides us with another reminder of just how vulnerable passwords are to being hacked. The tendency for people to choose a password for life means that setting up a cursory account on a site like MySpace could threaten all the private information that they store and access on the Web each day.
But the bigger problem here is that the convention never changes. Until we consign passwords to the history books, data breaches will continue to feature in our news feeds. Passwords don’t scale for users, they don’t protect individual services and they are vulnerable to a myriad of attacks. Customers are usually advised to change passwords when a breach like this occurs, but that won’t protect users from database hacks. The only way to move forwards is to distribute trust across multiple points with rigorous authentication technologies, thus eliminating the single point of compromise.
Javvad Malik, Security Advocate at AlienVault:
Is it likely that many people are still using the same password after several years?
Yes, and this is what lies at the heart of the matter. Password re-use or the tendency for people to set a ‘life password’ is common. The challenge is selecting different passwords for each site someone uses. Users should ask themselves:
- When a website announces a breach, how confident am I that I haven’t used that password elsewhere?
- If I have used that password elsewhere, I should go and change it immediately.
- If a website offers two-factor or two-step authentication, I should enable it.
- What’s stopping me from using a password manager?”
Should major websites start forcing a 3 month password change like they do in enterprise environment?
“Absolutely not. In fact, frequent password changes are being advised against by the likes of CESG. One of the problems with forcing regular changes besides the inconvenience, is that users will inevitably begin to choose easier-to-remember (and hence guess) passwords.
What we are seeing though, is the likes of Microsoft introducing into Azure features that stop users from setting a password that has appeared in a leak . This kind of measure – on behalf of the service provider can go a long way in nudging people towards choosing better passwords.
Mark James, Security Specialist at ESET:
Is there a link between the LinkedIn, Tumbler and Myspace data leaks?
“It’s very interesting to see these older hacked databases coming to light, it may indeed be linked to the same collective or just data previously collected and offered for sale now. Either way it still poses the same security risk, unfortunately the average user will wait for something to happen before they take action on an account. I would advise you review all your passwords used in online activity and ensure they are all unique, if not make it so.”
Can we trust companies to adequately protect our data?
“The problem is we have to if we want to use their services, whilst we hope and trust they will look after it we need to understand we should also take adequate measures to ensure we do as much as we can to help them do just that; it’s our data after all. Most companies will do all they can to protect our data, it’s in their interest to keep it safe but we have to accept the fact there are some simple tasks we can do to keep our credentials not only safe but difficult to reuse in case we are breached on one site.”
Are passwords still fit for purpose?
“Yes, a good well thought out unique password that utilises the correct complexities is a great start to protecting your data, there are many other options on top of that but you need the base right to build your security from. Many companies will now offer a second form of protection to back up your traditional username and password along with alerts for you, the user, whenever you log in from a different platform or device.
Using 2FA is a great way to boost the security of your account, Tumblr make this available but ultimately it’s down to the user to actually turn it on and use it and for some the extra added steps stop people from actually doing so. These days we want ease, we want speed, we want everything to happen quicker and with less steps and adding a process that makes things harder often stops people from using that feature even though it may actually increase their security.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.