Following the news that the Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained Twitter’s database, which includes email addresses, usernames and plain-text passwords, there below the comments from different security experts.
Tod Beardsley, Security Research Manager at Rapid7:
We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”
Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock:
“The
“However, we should not simply rely on username and password based authentication as a barrier between our sensitive information and the rest of the Internet. It’s time for companies to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security.
“One option is to add multi-factor authentication, such as one time passwords, mobile push based authentication, biometrics or a combination. But as robust as these methods are becoming, they still rely on a ‘lock and key’ approach to security – once you’re through the door, you have free rein over the data within. The next big step forward will be continuous, behaviour-based authentication and authorisation.
“This will involve creating a user behaviour profile, which gathers key criteria that make up the “normal” usage pattern for any given user. Any deviation from the pattern will raise a red flag and lead to additional security questions or even removal of access. Importantly, this kind of technology will run entirely in the background, so the user will only ever be impacted if their behaviour is deemed to be suspicious.”
Ryan O’Leary, VP Threat Research Center at WhiteHat Security:
“We’re never out of danger from a data breach of our personal information and passwords. As users, we need to take precautions against this. If your password for each social media site actually is unique, good job, you’re one of the few people that use a different password for each system they log into. It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur.
“So, here are some simple tips for securing yourself online:
- Don’t use the same password for all sites. If one site were to be breached all your accounts are effectively breached. At the very least, use a variety of passwords to minimise the impact of a breach
- Turn on two factor authentication for any app that supports it. Yes it’s a pain! But it’s also one of the best ways to protect your accounts
- Only login to sites that use SSL, you’ll know this by checking if there is a ‘https://’ before the rest of the URL
- Don’t click on any links or attachments in instant messages or emails. As tempting as they might look, you really are rolling the dice with your personal security.”
Luke Brown, VP & GM EMEA, India and Latam at Digital Guardian:
“It is essential that organisations make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information.”
Richard Parris, CEO, Intercede:
“Whether
“There are already much more sophisticated and robust alternatives to simple password authentication available – these companies need to sit up and take notice. They are on the back foot dealing with the aftermath of data breaches, whereas they should be focusing on making sure the breaches don’t happen in the first place. The future of online security relies on a much more proactive stance; embedding measures into the very fabric of technology we use in our everyday lives, from the silicon chips used in smartphones, to the apps and services these sites offer. If not, will large-scale data breaches ever be a thing of the past?”