The disclosure of more than 360 million MySpace credentials to LeakedSource is thought to be the largest breach of its kind.
LeakedSource claims to have accumulated more than 1.6 billion records "by scouring the internet and dark web for data." That includes the 167 million LinkedIn credentials taken in a 2012 hacking incident that recently came to light.
These disclosures suggest that many users and organisations are still not following good practices regarding passwords.
The LinkedIn disclosure is clearly historical, and while there was no indication of how recently the MySpace data was obtained it seems plausible that the problem persists in other places.
Who’s to blame?
On one hand, it is easy to point the finger at IT and security professionals.
If passwords are properly protected (that is salted and hashed using trustworthy algorithms), the likelihood of someone being able to determine the original passwords is greatly reduced.
And the more carefully systems are configured and kept up to date in terms of security patches, and the more carefully privileged account activity is monitored, the less likely it is that an intruder would be able to gain access and then exfiltrate the data.
But Dilbert's pointy haired boss didn't spring purely from the mind of Scott Adams. Imagine discovering that your organisation's online service had an insecure password system. Would you be confident that a) you could bring it to the attention of management without being blamed for someone else's decisions, and b) the necessary resources would be made available to promptly rectify the issue?
Top 10 (worst) passwords
Turning to users, successive leaks show that many are using weak passwords.
In the case of the MySpace list, the most common password – excluding homelesspa, which was associated with hundreds of thousands of apparently automatically generated accounts – was password1. That's slightly better than password, which topped SplashData's most recent list of commonly used passwords, but only very slightly.
Other passwords near the top of the MySpace list with a familiar ring include abc123, qwerty1, 123456, 123456a and a123456. Many other passwords among the top 55 consist of a common word plus the digit 1 or 2, suggesting to the people behind LeakedSource that at some stage MySpace required new passwords to include letters and digits.
The top 10 passwords appear to have been used with almost three million accounts, or roughly one in 120 – low enough to have a reasonable expectation of success without too much effort.
Easily guessed passwords are one thing, the reuse of the same name (usually an email address) and password across multiple services is another.
As administrators try to impose the use of stronger passwords by enforcing greater minimum lengths and other rules (such as no less than 12 characters, including at least one upper case, lower case, digit and 'special'), the harder it becomes for people to memorise a different password for each of the dozens of services and sites they use regularly. So they generally don't try. Instead, they adopt strategies such as using one complex password across most accounts, with (hopefully) exceptions for their most important services such as internet banking.
Yes, there are technological workarounds such as password managers, but how many ordinary people among your acquaintances use them?
Two factor authentication can help offset password reuse without adding excessive complexity for such users, such as adding a challenge only when suspicions are aroused, perhaps by attempted access from an unfamiliar device or location. But the market has moved away from dedicated tokens for various reasons, and there are examples of malware designed to steal 2FA codes sent to users' smartphones via SMS.
The future of authentication
It's sometimes said that if a wide variety of cures is needed for a medical condition – snoring is an example – then most of them won't work for most people. Otherwise everyone would use the cure that does work. User authentication seems to fit this pattern. Everyone seems to agree that the simple username/password combination isn't adequate, but none of the proffered replacements have really taken off.
Perhaps the solution lies in biometrics – and there’s plenty of work being done in this field. Google, for example, is reportedly aiming to bring password-free logins to Android by the end of this year with an API that uses a combination of biometric indicators.
Data61 is on a similar mission, with a researcher informing a recent conference that the organisation has been testing its “behavioural biometrics” that includes the unique ways people touch their mobile devices.
Whether biometric authentication leads to new problems is yet to be seen, but in the meantime, all we can do as IT professionals and users is maintain best practices in data security and our use of passwords.
