16 Billion Passwords Leaked! Is This The End? (1 of 4)

Password example

This post is the first in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role.

While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization.

The second post in this series is here. The third post is here. The fourth post is here.

Recent news articles, like this one, have described a database of 16 billion (with a “B”!) passwords stolen from major online companies like Apple, Google, and Meta (Facebook). This sounds like a major hack, and the end of passwords for security. On closer analysis, the news is both better and worse than that. Let’s look at why, and what we should do - as individuals, and as professionals with security responsibility.

So why isn’t this news as bad as it sounds? While the database of passwords is a bad thing, it’s not the result of some new super-hack attack on the biggest companies online. Instead, it’s a collection of passwords from a series of older attacks. We don’t have a new danger to worry about, or new patches to apply: instead, this is the world we’re already living in. These passwords had already been leaked or stolen, and what really happened (dramatic headlines notwithstanding) is that somebody collected them together. That’s the good news, or at least the less-bad news.

Does that mean that typical username/password logins provide adequate security? No, this is yet another example, yet another proof that they don’t.  In fact, the end of passwords for security would be a good thing - if we had a widespread, convenient, more secure approach. We don’t, entirely, so passwords seem likely to be around for a long time.

So what should we do about it? We should follow basic online security rules. These rules aren’t new, but this seems like a good time to review them, and to tighten up our own process where we fall short. They are:

  1. Never re-use your passwords between different accounts
  2. Rotate your important passwords
  3. Turn on Multi-Factor Authentication everywhere you can
  4. Use good-enough passwords, but put more energy into the steps above than this one

We’ll look into why these recommendations improve your online security in future posts, beginning with Passwords Alone Cannot Save You.

Comments

Post a Comment