Even cyber intelligence companies are not immune from data breaches. Hacking Team, an Italy-based company that makes surveillance software for governments around the world, was the recent target of a data breach that stole 400 GB of source code, emails, and internal company documents. Included among the data in the breach was the Firefox password vault of employee Christian Pozzi, a Senior System and Security Engineer for the company. Media coverage of the breach quickly turned to how Mr. Pozzi used easily guessable, unsecure passwords including “Passw0rd” for not only his personal social media profiles on Facebook and Linkedin, but also banking websites, PayPal, and networking routers and other sensitive equipment.
Security professionals recommend using strong passwords with a combination of upper-case characters, lower-case characters, numbers, and symbols. One of the reasons why people don’t use these passwords is that they’re difficult to remember. Most apps don’t require them, either. Skyhigh analyzed 12,000 cloud services and found that only 6.5% require strong passwords. Another 13.6% require moderate passwords – defined as passwords with characters and numbers. An overwhelming 79.9% of cloud services allow weak passwords – passwords that are just lower case characters – and are most vulnerable to compromise.
People also re-use passwords across websites, diminishing the benefit of using a strong password. Research by Joseph Bonneau at the University of Cambridge shows that 31% of users reuse passwords in multiple places. When one of those reused passwords becomes compromised, the impact to the user is amplified. Consider this fact: the average person uses 28 distinct cloud services today. They also store a variety of sensitive data in the cloud. Analyzing corporate cloud usage of over 18 million users, Skyhigh found that 34% of users uploaded personally identifiable information (e.g. Social Security numbers, home addresses), health information (e.g. patient records), or payment card data to file sharing services.
To help remember all these complex, unique passwords, users are turning to password vaults like LastPass to store their website, cloud service, and device passwords. It’s not surprising that LastPass is a target for cyber criminals. In a recent breach, hackers stole LastPass master passwords, the ones customers use to login and view their password vault. The good news for LastPass users was that the company reported the compromised master passwords were stored encrypted, and criminals were not able to gain access to core passwords users store in the service. However, criminals don’t necessarily need to steal a password to compromise an account, they can also guess weak passwords using powerful computers that create password combinations using words and numbers.
It may even be easier than that for hackers (or even a child) to gain access to your account. Skyhigh analyzed 11 million passwords for cloud services that are for sale on the Darknet and found that, while there are many unique passwords, 10.3% of users employ the 20 most popular passwords. That means with fewer than 20 tries, anyone could login to roughly 1 out of 10 accounts today. While these passwords are easy to remember, users are defeating the very method that is meant to protect their information. The top password is “123456” and it’s so common that it compromises 4.1% of all passwords. Using this password is tantamount to leaving the key to your front door under your doormat in a dangerous neighborhood.
If complex, unique (read: hard to remember) passwords are needed for every account, and services like LastPass that help users remember these passwords are under attack, this begs the question – does the password still work in the modern era? Increasingly, it’s becoming clear that other authentication technologies are necessary to protect sensitive information. In the case of the LastPass breach, the company turned on multi-factor authentication to protect users whose passwords may have been compromised. Multi-factor authentication asks users to login with their username and password, but to complete the authentication they also need to enter a code texted to their phone. This additional step makes it much harder for a third party to access an account with a stolen password.
Just 15.4% of cloud services today support multi-factor authentication. And for the ones that do support it, such as Office 365, not all require it. Dropbox is reportedly considering offering users free storage as an incentive to encourage them to use multi-factor authentication and strong account passwords. Another possibility is for services to model normal behavior for a user, detect unusual access attempts, and disallow the login or require multi-factor authentication based on the suspicious activity. This same type of approach is used by banks to protect themselves from fraudulent transactions. If the bank detects unusual activity on your credit card, they may decline the transaction, requiring you to call the bank and provide additional information proving your identity before the transaction is approved.
What’s clear is that cyber criminals are determined to breach data and given the financial stakes they’re becoming increasingly organized and sophisticated. In the post-password era, all of the above approaches may be needed to create a multi-layered defense to protect sensitive information stored online.