It was June 2012 when Dale Meredith was shopping online for a BBQ grill for Father’s Day and found one at Sears.com. The only snag, he had to create a username and password to buy it. That irked him.
He was annoyed because it was literally the hundredth-plus service—including his local newspaper, home router, and dozens of other trivial and not so trivial sites—to require a user name and password in exchange for a service.
That’s when it struck Meredith, an IT security trainer located outside Salt Lake City, Utah: “This password madness is unsustainable.” Meredith was worried then about the amount of passwords reused by himself and others across the internet. With one breach, one password could crack open dozens of his accounts.
Meredith had it right. According to security experts, today the industry is dealing with a password reuse crisis. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 642 million.
The price of those breaches will be a virtual crime wave, say experts, as hackers take stolen credentials and unlock other accounts across the web. Security experts call it a growing epidemic, impacting high-profile victims such as Mark Zuckerberg who had his Twitter and Pinterest account hijacked by hackers who claims they found his “dadada” password in the LinkedIn data dump. The Linkedin breach data is also being blamed for a “significant” number compromises of TeamViewer remote desktop customers.
“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,” said Christopher Hadnagy, chief human hacker at security firm Social-Engineer. He cites a study by ThreatMetrix that estimates that password reuse is a bad habit that 60 percent of internet users are guilty of.
“Honestly, as an industry we are in some pretty serious denial about passwords and password reuse,” said Jessy Irwin, security empress at AgileBits, the makers of the 1Password password manager. “It’s low hanging fruit for hackers. The security industry focuses on the latest zero days and malware. Meanwhile, passwords are the same as they were 30 years ago – the weakest link in even the most secure system,” she said.
Too Many Accounts, Too Many Passwords
Sadly, there is no password silver bullet. And it’s easy to see why. The average number of accounts registered to one email account for 25-34-year-olds is more than 40, according credit-checking firm Experian. And on average, users had only five different passwords for those accounts, Experian reported.
Multiply those stats by the hundreds of millions of passwords breached in the past week and it’s easy to see why many are predicting massive numbers of new account breaches in the weeks and months ahead. Troy Hunt, creator of the cyber-breach service Have I Been Pwned?, estimates just the LinkedIn breach of 117 million accounts will unleash a password reuse tsunami of “tens of millions” of stolen passwords that can unlock accounts elsewhere on the web.
For those reasons we are seeing an unprecedented push by online companies urging their customers to change their passwords. Facebook and Netflix are asking users to tighten up account security following major breaches. Netflix, for example, cross referenced user credentials with leaked data from LinkedIn, Tumblr and Myspace and sent emails to customers who used the same password forcing them to change their Netflix password.
But for some security experts, they say companies are in a bad habit of scapegoating end users and shaming them for their bad password hygiene when the finger they point should be directed – in part – at themselves. “Security is a shared responsibility. Yes, bad passwords are bad. But companies need to practice good password stewardship,” Irwin said.
Hashing, Salting and 2FA
That entails both hashing and salting passwords and offering users two-factor authentication when possible. Other steps include nipping the password problem at the bud and offering multi-factor authentication registration that makes sure users have alternate email address, phone number, or a device registered for push notifications if there is suspicious account activity.
“Most companies don’t need to upgrade their password policies and they probably won’t,” said Kim Phan, an attorney with Ballard Spahr, a legal firm specializing in privacy and data security. “You don’t need the same type of password protection to guard your selfies by the pool as you do your financial data,” she said.
Phan did say businesses are required to take responsibility when it comes to protecting login credentials for the financial, healthcare and government sectors. But no such requirements exist for most business on the internet. There are also state-level breach notification laws that require business to notify consumers if personally identifiable information is compromised. Forty-seven states have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches. But, Phan said, stolen usernames and passwords aren’t considered personally identifiable information.
In the case of the Tumblr and LinkedIn, both companies only recently disclosed the full extent of breaches that happened years ago. It’s unclear if these companies were even aware of the breaches before they went public just recently. Social-Engineer’s Hadnagy suspects that either companies kept quiet about breaches to avoid embarrassment or simply were aware of the theft.
“We don’t have any easy fix for passwords,” Phan said. In the interim, good luck memorizing the 30-plus complex passwords. For the IT security instructor Meredith, password peace of mind includes his LastPass password manager to hold his 166 usernames and passwords. But even the companies behind the password managers aren’t immune to breaches either.