How to
Jonathan Crowe
Jun 2016

What the LinkedIn, Tumblr, and Myspace Data Breaches Can Teach Us About Improving Password Management

Photo by Automobile Italia

First LinkedIn, then Tumblr, and now Myspace. Over the past two weeks each of these companies was on the receiving end of a harsh reminder that the past is never dead, it's not even past (words worth remembering in these days of the "historical mega breach").

In total, an estimated 577 million email addresses and passwords associated with these companies have been put up for sale by one hacker named "Peace".

Real-Deal-LinkedIn.jpg Real-Deal-tumblr.png Real-Deal-MySpace.jpg

Screen shots of the listings offering the stolen LinkedIn, Tumblr, and Myspace data for sale on the Dark Web marketplace, The Real Deal (via Troy Hunt).

In addition to being sold by the same hacker, the other thing tying all this data together is that it's associated with data breaches that are actually years old.

LinkedIn data breach

Tumblr data breach

Myspace data breach

The fact that the data associated with these breaches is only surfacing now raises quite a few interesting questions, and others are already busy tackling them elsewhere.

As for this post, I'd like to focus on one specific question that, for many IT pros and their companies, might be more immediate: Is there anything we can learn from these breaches that can help us improve our security now?

Well, as it just so happens, there is one thing...

What the Latest "Mega" Data Breaches Can Teach Us About Improving Password Management

bad_password_habits.jpg

As startling as the full scope of these data breaches is, one thing that unfortunately isn't too shocking is the revelation that a sizable portion of the passwords exposed were comically bad.

Here is a list of the 20 most common LinkedIn passwords allegedly included in the breach, according to LeakedSource:

bad_linkedin_passwords.png

Man, are these bad. I mean really bad. This is the kind of thing that induces a collective head smack across IT departments everywhere.

Myspace users unfortunately didn't fair any better:

myspace_passwords.png

To be fair, users aren't the only ones guilty of slack security practices here — in both LinkedIn's and Myspace's cases, the passwords were originally encrypted using the SHA1 algorithm (known to be weak) with no "salt" added (a series of random digits included in passwords that makes them harder to crack). As a result, the majority have been cracked fairly quickly.

That said, the poor quality of the passwords in the lists above are further indication that, despite all the increased emphasis on adopting better security habits, the majority of us are still just stupendously bad at creating and using strong passwords.

That's a big problem, because no matter how strong your security is, if your users have passwords like these they're essentially giving away a key to the kingdom.

In the midst of all the media coverage surrounding these breaches, security researcher Troy Hunt picked up on this, too, and he decided to share some advice:

These all seem simple enough, so why is it still so hard for us (and companies) to get password management right?

Looking for an answer, I reached out to Hunt and asked if he would mind sharing some insight into a) what makes these three things so difficult, and b) what the easiest thing we can actually do is if we want to start making measurable progress now.

Hunt is a good guy. Despite the fact that he’s incredibly busy analyzing and breaking news around all these breaches, not to mention managing his victim-informing website Have I Been Pwned?, he got back to me quickly.

Troy_Hunt_circle.png

"These things are hard for us because they require us to do something different than what we normally do. As much as I advocate password managers, try explaining how to use them to non-technical folks and you remember how much friction it creates. It’s necessary, but it’s still friction."

Troy Hunt, security researcher and creator of Have I Been Pwned?

Fair point. I only recently signed up for a password manager. While I wouldn't go so far as to describe myself as a technical person, I'm also no slouch, and I still had a tough time getting the hang of actually using it.

Looking to get another take on password managers and to find out why they haven't solved our password woes by now, I turned to Per Thorsheim, founder of PasswordsCon.org and CEO of GodPraksis.no, who painted an even clearer picture of the problem:

Per Thorsheim

"As long as [password managers] are not very easily accessible in the operating system or your default browser that means you actually have to learn about them, find them, evaluate them, purchase them, download and install, learn how to use them, and more."

Per Thorsheim, founder of PasswordsCon.org

That certainly does sound like an uphill battle. Not only do people need to become aware that password managers are an option in the first place, they then have to be intrigued enough to spend the time it takes to learn more about them, evaluate different options, choose one they’re willing to start paying for, and then actually get in the habit of using the darn thing.

In other words, the path to password manager adoption is, as Hunt pointed out, lined with friction points. It’s very reasonable to expect some amount of drop-off at each of those points along the way.

The result? According to Thorsheim, "We will not see the majority of users adopt them."

But if password managers aren't the answer, what about Hunt's second suggestion: "Make random passwords"?

"People don't do random passwords, and they never will without a password manager," Thorsheim says.

Okay... so are we back to password managers? Not necessarily.

According to Thorsheim, password length trumps complexity in terms of strength, so using a sentence that's easy to remember can still be very strong. The only problem? "We just have to revert 20-30 years of password advice and training globally to get there," he says.

That call for a new approach to security training was also something that came up when I reached out to information security researcher Tracy Z. Maleeff (@InfoSecSherpa). For Maleeff, part of the problem is that, too often, we treat password management as purely a technological challenge, without acknowledging that we need to address user psychology, too.

Tracy Z. Maleeff

"Stressing the importance of better passwords and explaining the risk we open ourselves up to by using weak passwords is one thing, but the real trick is raising awareness in an empowering way so users become emotionally invested in improving their security savvy."

Tracy Z. Maleeff, Principal at Sherpa Intelligence LLC

Maleeff explains that the “warm fuzzy feeling” that users get typing in their cat’s name as a password needs to be redirected so they get the same pride and satisfaction from using secure practices.

Of course, while working with users to change their security behaviors can make a lasting difference in improving your company's security posture, it's also a long-term play that requires a lot of planning and effort (see this post to find out what a realistic roadmap for behavioral change looks like). Make no mistake, investing that time and effort is critical to any longterm success, but what about adjustments that can help us make a difference now?

What about Hunt's third suggestion — enabling 2FA?

Two-factor authentication (2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. For example, you can setup 2FA with your Google account so in addition to entering your password you also have to enter in a special code that gets texted to your cell phone before you can log in.

According to Hunt, "Multi-step verification is probably the single easiest thing people can do that has the greatest impact on important accounts."

The downside? Not every service provider offers 2FA, and those who do may have very different ways of doing it. As Thorsheim points out, it can be a mess trying to configure it all. Those limitations make 2FA a "do it when you can" solution, at least for now.

Putting All Three Suggestions to Work

password_management_tips.jpg

Password management is something we've been trying to improve on for years. There's obviously not one simple solution that's going to fix things overnight. That said, each of Hunt's three suggestions are steps in the right direction, and finding ways to implement them successfully is a challenge worth pursuing.

So let's review:

1) Encourage (and enable) your users to adopt a password manager

None of us enjoy creating new passwords, and as the lists of the most common LinkedIn and Myspace passwords show, we're not very good at creating strong passwords, anyway. As 1Password advocate Jessy Irwin points out, shifting that responsibility to a password manager makes a lot of sense.

Jessy Irwin

"What many people don't realize is that password managers are the safest, easiest way to make the web a more secure and usable place for us all."

Jessy Irwin, Security Empress at 1Password

"One of the biggest reasons many people have a difficult time adopting a password manager is that they are afraid that it will take quite a long time to get used to using, or that it get hacked," Irwin explains. "While there is some risk involved in putting all of your passwords in one place, it is important to recognize that the best password managers are designed to be breach-resilient, and that in terms of architecture they are built to withstand a plethora of threats and common attacks."

As for the challenge of adopting something new, that's why it's important not to leave your users struggling on their own. Put together training sessions and resources. Push for your company to cover the subscription cost. Focus on finding ways to make the initial adoption period as pain-free as possible. Getting over that initial hump is the hardest part.

2) Teach users to use longer passwords

If adopting a password manager isn't an option, work on teaching your users how to create stronger passwords. Remember Thorsheim's advice: length trumps complexity when it comes to passwords, so try getting users to utilize sentences in their passwords.

Another tactic is to use a string of common words that appear random, but you can remember by forming an image that illustrates the words in your mind (a mnemonic device called the "memory palace" technique).

Here's a good example from xkcd (though it may be advisable to use more than four words):

password_strength.png

3) Show users how to enable 2FA (when available)

While not perfect, two-factor authentication does provide another crucial layer of security that makes it much more difficult for hackers to pretend to be you or your users. For example, showing users how to turn on 2FA for their LinkedIn accounts can help protect them from past and new data breaches.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.