F5 Networks’ Michael Brown on why we need to make stolen credentials worthless to cybercriminals.
This week’s news that over 400 million accounts were compromised in the AdultFriendFinder hack is another example that hackers continue to have the upper hand. If we are to beat them, we need to learn how to take responsibility for protecting ourselves and being cautious about which companies we do business with. Data is valuable to both organisations and consumers. Unfortunately, the same is true for cybercriminals. If they can get their hands on it, there’s often no telling what damage they can do. To combat this problem, we need to make stolen credentials worthless to cybercriminals.
Are your credentials encrypted?
So, what happens when the bad guys acquire your credentials? You might think that your passwords are hashed or encrypted and therefore protected. Did you know that the SHA1 algorithm was used in LinkedIn 2012 data set, which is now considered a broken hash and should not be used? Not only this, the passwords were hashed without first being “salted” (i.e. adding more data to the password to hide its true meaning).
A password recovery service organisation took this opportunity to test their offering and could crack more than 80% of the passwords. More than 1.1 million people chose the password “123456” and nearly 190,000 people chose “password”. If people are doing the same for LinkedIn, there is a good chance they are adopting the same password on more sensitive sites, such as bank accounts, which is much more valuable to cybercriminals.
The AdultFriendFinder hack reveals an even more egregious disregard for proper security of the passwords in that more than a third of all the passwords were stored in plain text. Those that were hashed, as in the aforementioned LinkedIn data set, used SHA1 and were not “salted”. By no stretch of the imagination are members exonerated here. Over 2.5m of the AdultFriendFinder users used a form of “123456789” (in sequence) as their password. And yet again, the most obvious password of all – “password” – was used a whopping 101,000 times.
How to protect your passwords
Most sites today require a combination of capital letters, numbers and occasionally symbols to make passwords stronger. However, there are common patterns that most of us tend to use, like starting with a capital letter and ending with a couple of numbers. If a special character is required, we typically place it on the end. The bad guys know this. Using machines equipped with today’s off-the-shelf processing power, even these seemingly complicated passwords are cracked in relatively short time. So, what is the solution?
Organisations need to do much more than just bolster their security with a firewall. In fact, our recent research showed that as many as 61% of UK consumers believe that businesses are not doing enough to protect themselves and their customers against cyber-criminals, with better investment perceived by respondents as the best way for this to be remedied. However, users must take some of the responsibility themselves. Worryingly, our research also showed that eight percent of UK consumers haven’t changed their passwords after an organisation they have an account with was hacked. Victims of the AdultFriendFinder hack should look to do this immediately, while also ensuring other online accounts do not use the same password.
Cybercrime rings hire armies of people with the purpose of trying to hack into the sites that are essential to our daily lives. As users, we need to be more innovative with our password selections. Not using a password manager is the equivalent of leaving your credentials unprotected.
A password management tool can automatically generate passcodes and allows one to select the level of complexity, pattern type and length. Moreover, users do not have to remember the passcodes at all. The caveat to this approach, of course, is that the password used for the management tool must be very complex in order to protect this account. The advantage is that the password to the management tool is the only one you need to remember.
Being accountable for your data
There is no doubt that your personal data is valuable. Cybercriminals are determined to access this information to reap the financial rewards. By adopting best practice and investing in personal security, your credentials will remain encrypted. So, if a hack does take place, you can automatically devalue the stolen data for the hacker. Don’t ignore the dangers of the Dark Web – cybersecurity is everyone’s responsibility and this week’s news is further evidence that we must respond to threats in the market. Stay safe.