First LinkedIn, then Tumblr, and now Myspace. Over the past two weeks each of these companies was on the receiving end of a harsh reminder that the past is never dead, it's not even past (words worth remembering in these days of the "historical mega breach").
Screen shots of the listings offering the stolen LinkedIn, Tumblr, and Myspace data for sale on the Dark Web marketplace, The Real Deal (via Troy Hunt).
In addition to being sold by the same hacker, the other thing tying all this data together is that it's associated with data breaches that are actually years old.
The fact that the data associated with these breaches is only surfacing now raises quite a few interesting questions, and others are already busy tackling them elsewhere.
As for this post, I'd like to focus on one specific question that, for many IT pros and their companies, might be more immediate: Is there anything we can learn from these breaches that can help us improve our security now?
Well, as it just so happens, there is one thing...
As startling as the full scope of these data breaches is, one thing that unfortunately isn't too shocking is the revelation that a sizable portion of the passwords exposed were comically bad.
Here is a list of the 20 most common LinkedIn passwords allegedly included in the breach, according to LeakedSource:
Man, are these bad. I mean really bad. This is the kind of thing that induces a collective head smack across IT departments everywhere.
Myspace users unfortunately didn't fair any better:
To be fair, users aren't the only ones guilty of slack security practices here — in both LinkedIn's and Myspace's cases, the passwords were originally encrypted using the SHA1 algorithm (known to be weak) with no "salt" added (a series of random digits included in passwords that makes them harder to crack). As a result, the majority have been cracked fairly quickly.
That said, the poor quality of the passwords in the lists above are further indication that, despite all the increased emphasis on adopting better security habits, the majority of us are still just stupendously bad at creating and using strong passwords.
That's a big problem, because no matter how strong your security is, if your users have passwords like these they're essentially giving away a key to the kingdom.
In the midst of all the media coverage surrounding these breaches, security researcher Troy Hunt picked up on this, too, and he decided to share some advice:
While LinkedIn has us thinking about passwords, do this:1. Get a password manager like @1Password2. Make random passwords3. Enable 2FA— Troy Hunt (@troyhunt) May 24, 2016
Looking for an answer, I reached out to Hunt and asked if he would mind sharing some insight into a) what makes these three things so difficult, and b) what the easiest thing we can actually do is if we want to start making measurable progress now.
Hunt is a good guy. Despite the fact that he’s incredibly busy analyzing and breaking news around all these breaches, not to mention managing his victim-informing website Have I Been Pwned?, he got back to me quickly.
Troy Hunt, security researcher and creator of Have I Been Pwned?
Fair point. I only recently signed up for a password manager. While I wouldn't go so far as to describe myself as a technical person, I'm also no slouch, and I still had a tough time getting the hang of actually using it.
Looking to get another take on password managers and to find out why they haven't solved our password woes by now, I turned to Per Thorsheim, founder of PasswordsCon.org and CEO of GodPraksis.no, who painted an even clearer picture of the problem:
Per Thorsheim, founder of PasswordsCon.org
That certainly does sound like an uphill battle. Not only do people need to become aware that password managers are an option in the first place, they then have to be intrigued enough to spend the time it takes to learn more about them, evaluate different options, choose one they’re willing to start paying for, and then actually get in the habit of using the darn thing.
In other words, the path to password manager adoption is, as Hunt pointed out, lined with friction points. It’s very reasonable to expect some amount of drop-off at each of those points along the way.
The result? According to Thorsheim, "We will not see the majority of users adopt them."
"People don't do random passwords, and they never will without a password manager," Thorsheim says.
Okay... so are we back to password managers? Not necessarily.
According to Thorsheim, password length trumps complexity in terms of strength, so using a sentence that's easy to remember can still be very strong. The only problem? "We just have to revert 20-30 years of password advice and training globally to get there," he says.
That call for a new approach to security training was also something that came up when I reached out to information security researcher Tracy Z. Maleeff (@InfoSecSherpa). For Maleeff, part of the problem is that, too often, we treat password management as purely a technological challenge, without acknowledging that we need to address user psychology, too.
Tracy Z. Maleeff, Principal at Sherpa Intelligence LLC
Maleeff explains that the “warm fuzzy feeling” that users get typing in their cat’s name as a password needs to be redirected so they get the same pride and satisfaction from using secure practices.
Of course, while working with users to change their security behaviors can make a lasting difference in improving your company's security posture, it's also a long-term play that requires a lot of planning and effort (see this post to find out what a realistic roadmap for behavioral change looks like). Make no mistake, investing that time and effort is critical to any longterm success, but what about adjustments that can help us make a difference now?
Two-factor authentication (2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. For example, you can setup 2FA with your Google account so in addition to entering your password you also have to enter in a special code that gets texted to your cell phone before you can log in.
According to Hunt, "Multi-step verification is probably the single easiest thing people can do that has the greatest impact on important accounts."
The downside? Not every service provider offers 2FA, and those who do may have very different ways of doing it. As Thorsheim points out, it can be a mess trying to configure it all. Those limitations make 2FA a "do it when you can" solution, at least for now.
Password management is something we've been trying to improve on for years. There's obviously not one simple solution that's going to fix things overnight. That said, each of Hunt's three suggestions are steps in the right direction, and finding ways to implement them successfully is a challenge worth pursuing.
So let's review:
None of us enjoy creating new passwords, and as the lists of the most common LinkedIn and Myspace passwords show, we're not very good at creating strong passwords, anyway. As 1Password advocate Jessy Irwin points out, shifting that responsibility to a password manager makes a lot of sense.
Jessy Irwin, Security Empress at 1Password
"One of the biggest reasons many people have a difficult time adopting a password manager is that they are afraid that it will take quite a long time to get used to using, or that it get hacked," Irwin explains. "While there is some risk involved in putting all of your passwords in one place, it is important to recognize that the best password managers are designed to be breach-resilient, and that in terms of architecture they are built to withstand a plethora of threats and common attacks."
As for the challenge of adopting something new, that's why it's important not to leave your users struggling on their own. Put together training sessions and resources. Push for your company to cover the subscription cost. Focus on finding ways to make the initial adoption period as pain-free as possible. Getting over that initial hump is the hardest part.
If adopting a password manager isn't an option, work on teaching your users how to create stronger passwords. Remember Thorsheim's advice: length trumps complexity when it comes to passwords, so try getting users to utilize sentences in their passwords.
Another tactic is to use a string of common words that appear random, but you can remember by forming an image that illustrates the words in your mind (a mnemonic device called the "memory palace" technique).
Here's a good example from xkcd (though it may be advisable to use more than four words):
While not perfect, two-factor authentication does provide another crucial layer of security that makes it much more difficult for hackers to pretend to be you or your users. For example, showing users how to turn on 2FA for their LinkedIn accounts can help protect them from past and new data breaches.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.