Friday, 21 February 2014
Has your Website Account been Hacked?
The relentless stream of data breaches by big business continues, with the likes of Vodafone, Tesco, Sony, Adobe and Yahoo, all losing their customer's personal data on mass due to their inadequate security. How do you know if your username, email address and password have fallen into the hands of a cyber criminal due to these breaches?
There is one website that seeks to provide some assurance to that question, https://haveibeenpwned.com appears to be have acquired the stolen data from the Internet's criminal underworld and allows anyone to freely search it for their own username and email, the website returns a response which states if the account is known to have been compromised or not, namely listed within the stolen database. The website says it has over 161 million stolen accounts that are searched, all this data has been compiled from several of the high profile data thefts.
Although the hacked businesses are responsible for their poor security leading to these data thefts, we as website users must recognise we have a security responsibility to protect ourselves as well, and be much more savy in creating and managing our website passwords. Website users should be creating long complex randomly formed passwords, including using special characters such as !,",£,$,%,^. In addition users should adhere to a policy of using a unique password on every different website, so if one account is compromised, multiple website accounts are not compromised as well. This is not as impossible as it might seem, as a password vault solution such as LastPass, can help provide and manage both unique and highly complicated random passwords on each website, so the user does not have to remember and even think up new complex passwords.
The password problem is nothing new, I posted advice back in January 2009, however the message is still not getting through to many website users, this is evidenced by reviewing the top most common passwords found in Adobe breach's stolen data.
Top 20 Passwords from Adobe Data Breach
I think business and the security industry needs to do much more to tackle the password problem as well, certainly providing two-factor authentication provides a high level of protection to the user, so even if the bad guys have the username and password, they still can't access the account without possessing the user's hardware token or mobile phone, which are typically used a second factors to authenticate the user along with a username and password. The likes of Google and Twitter offer two-factor authentication, but these are almost provided as hidden options for their users, I have previously posted about the excellent Google two-factor authentication, read it if you wish to know more about it, I certainly recommend enabling it if you are a Gmail user.
As for the security industry, for years various vendors have been beavering over potential password replacement solutions, and certainly more noises are being made about password solutions at the moment, however nearly every solution proposed involves the trust of a third party to oversee it, even using LastPass requires trust of a third party. But I think trust, especially post Snowden, will be a major barrier in seeing the password problem truly solved.