On Password Security
With the recent wave of websites and services that have been compromised, and the breaches that happened before that last wave, I'd like to take a look at password security on the Internet, and what we as users can learn from the breaches.
Probably the most important lesson to be learned from the hacks is that a password's strength does not really prevent it from being stolen. Even if you have selected the most secure password on the planet, it can still be stolen by hackers who manage to dump the password database. Most services do not save passwords in plain text anymore, but there are probably some out there that still do. If that is the case, your secure password is as secure as qwerty or password1.
To make matters complicated, you usually do not know how your passwords and information are protected. While some services, especially those in the security sector, may reveal information about how your information are secured, the majority of services keep tight lipped about that.
Since we do not know how services protect our data, it has become important to make sure that the impact of a successful hacking attempt is as low as possible.
- Make sure you use a strong password on every Internet service
- Make sure it is unique and not used on any other site
As I have mentioned earlier, a strong password does not prevent it from being stolen if hackers manage to dump the password database or other databases of a service that you have registered an account with. The passwords are usually encrypted though. It is however only a matter of time until passwords get decrypted. Attackers usually have lists with common passwords at their disposal that they try first, before they may switch to brute forcing. Brute Forcing on the other hand is not really a feasible option, considering that the attacker would have to run all possible password combinations on all user accounts that the dictionary attack did not succeed to decrypt. If the allowed characters are upper and lower case, and numbers, it would take a very long time to decrypt the passwords, especially if strong passwords have been set by users.
As long as you use a secure password, the chance that it will be decrypted is slim. It is not impossible though, but the majority of hackers may go after the easy prey instead as it is quite possible to decrypt a large portion of user passwords this way.
A strong password does not do you any good if it has been saved in plain text, or if someone else got hold of it in another way. That's why it is important to pick unique passwords as well. Even if a password is compromised, that password will only grant access to one website or service, and not dozens or hundreds of services or websites.
It also reduces the time it takes to react when a site reports that user data has been compromised. Instead of having to change passwords on dozens of sites, you only need to change it on one. It goes without saying that each unique password needs to be as strong as possible as well.
Too many passwords to remember
If your memory is really good, you may be able to remember all of your secure passwords. If it is not, and that's usually the case, you may need some aid in form of a program or method that you can use.
Password managers come to mind. Instead of having to remember dozens of strong passwords, you only need to remember the one that is protecting the password manager's database. Programs that you can use in this regard are Last Pass or KeePass which both offer more than just keeping your passwords secure and available on demand. Both let you create strong passwords which you can then make use of and save in the password manager.
You can also use your browser's passwords manager if you prefer that, but remember that it needs to be protected with a master password, especially in a multi-user environment.
Site got hacked, what now
If a website has been hacked that you have a user account at, you need to react as quickly as possible to resolve the situation. If you can't do that right now, I'd still recommend to request a password reset to invalidate the old password right away. For that, you need access to the email address associated with the account. Once you have done that, the hacker can't access the account anymore even if the password gets decrypted. You can then later on change the account password. This is especially useful if you are using a password manager but do not have access to it at that time, for instance because of being at work.
You also may want to monitor your email address and the site's news section or blog for further announcements. The announcement may offer additional information and provide recommendations on how to react to the breach.
With sites and services moving into the cloud, security by large has been taken out of the user's hands, at least when it comes to password security. Users still need to follow the guidelines outlined above, but once they do, they really can't do anything else to improve the security of their account.
It is up to the companies and services to step up and make sure that their users are protected from attacks, for instance by properly for instance by not saving password in plain text format, or salting passwords. Companies furthermore need to actively monitor their networks, and have emergency plans in place that allow them to react quickly if a breach is discovered.
The best course of action is to reset user account passwords in this case to protect the accounts the moment the breach has been noticed.Advertisement