Earlier this month, the email addresses and passwords of more than 400,000 Yahoo users were compromised as the result of a security breach. According to several tech news websites, a group of hackers who call themselves the “D33D Company” claimed responsibility for the attack and said that they hoped the breach would serve as a “wake up call” for those in charge of security at the company.
Yahoo isn’t the only company that has been targeted by hackers in recent months. In June, the passwords of more than 6.5 million LinkedIn users were reportedly compromised following a breach and just last week, U.S. semiconductor manufacturer Nvidia announced that up to 400,000 of its forum users may have had their encrypted passwords stolen.
Though the number of network breaches at organizations around the globe seems to be never ending, there are things that companies can do to better protect the online information of their users. Mark Knight, director of product management at data protection solutions provider Thales e-Security, recently spoke with SIW about best practices for safeguarding passwords.
SIW: With all of the password breaches we’ve seen recently, what is it going to take before we see better password protection measures by companies?
Knight: I think the techniques are available today. If you look at the environment being hacked today, we’re seeing mostly social media companies being attacked and if you think about some of the services we’ve been using online for over a decade, things like online banking, those systems have proven to be secure over that period of time. It’s quite rare to read about a major banking security breach, so I think it’s fair to say the technology exists and the expertise exists, but it’s currently being used in areas like financial services and I think the change the industry has got really now is to apply those techniques to other industries, particularly social media but anyone that’s hosting any sort of online service these days. Whether it’s government, whether it’s private, whether it’s retail or whether it’s social media, I think the challenge has been that the economic imperatives for a lot of these organizations has been to get subscriber numbers to find a way to monetize their customer bases. Perhaps it’s evident that some of these companies that really started as start-ups and that now have grown much, much bigger than they even anticipated in the early days, really security wasn’t at the forefront when they architected their solutions. I guess, ultimately, it’s a change of mindset for these companies to recognize that their reputation is at risk and maybe there is a legislative element that legislation will come along and impose regulations on some of these organizations if they don’t put a stop to these breaches.
SIW: Who holds the most blame for these password breaches? Are the online service providers at fault for not having better security measures in place or do you also put some of the onus on users for creating passwords that could be easily deciphered?
Knight: I don’t think the users are really in a position to know how their information is going to be protected. At the end of the day, as a user of an online service, you’re aren’t in a position, you don’t have the expertise and you don’t have the information to make a determination of whether you’re secure, so you have to rely on brand and of course that’s why ultimately brand reputation is at risk. Obviously, for start-ups, they don’t always have a brand, but some of these more established companies, such as Yahoo, have acquired other businesses and you may trust the Yahoo brand. You don’t necessarily understand all of the other businesses they may have acquired and some of the technologies they may have inherited that may not be as secure as things developed in-house. I think as a consumer you’re not in a strong position and frankly, it’s very difficult for any consumer to use a different passphrase for every service they use. Obviously, the best practice is that you don’t keep using and repeating the same passphrase, but I can only imagine that would be a small number people that never break that rule. I guess, at the end of the day, a lot of these services have been built by organizations that were looking to grow as quickly as they could with a focus on functionality over security and I suspect those were compromises that were perhaps made potentially years ago and the environment is made up in many cases of legacy code, which just hasn’t been updated to take into account the current threat profile that the whole industry is facing.