When I heard about the recent LivingSocial breach, I thought, here we go again. I saw the breach mentioned on the national news, and the reporter listed all of the personal information that was at risk in the breach. Even though that information included names, birth dates and some financial-related data, the focus of that news report and articles that I have read was on passwords.
It seems like it always comes back to passwords these days, doesn’t it? The reporter on the news gave the same old list on smart password use, and indeed, Tom Cross, director of security research at Lancope, told me why enterprises should be concerned about the password breach:
It’s important to consider the possibility that some of your employees may have used the same password on LivingSocial that they use to access their work email and VPN accounts. IT security teams should be proactively hunting for weak passwords in their networks, and they should assess the capabilities that they have for identifying compromised accounts.
However, as I looked more closely at the breach, I noticed something a little different about these passwords. They were encrypted. In other well-publicized breaches where passwords were compromised, the complaint was that the company was lazy about passwords and they weren’t encrypted. They were stored in easy-to-access files. LivingSocial took the right security steps by encrypting customers’ passwords. Does this mean that encryption may not be as fool-proof as we thought it was? I returned to Cross to get an answer. He told me:
Even encrypted passwords can be valuable to a bad guy. Encrypted password hashes can be "cracked" with computer software that essentially tries millions of different possible passwords looking for a match. The bad guys will successfully crack the passwords of many LivingSocial users, and knowing the password, name, and email address for a person, they may be able to break into other accounts that those people maintain on other websites.
The most common password recommendation is to create a strong, hard-to-guess code (followed closely by not using the same password on multiple sites), but Cross said this recommendation is easier said than done, saying that even passwords as long as 12 characters can be cracked. He says pass phrases with unrelated words may be a better option.
Encrypting passwords is a right and necessary step, so don’t stop doing it. It is a security step the company provides for its customers. But add to it by insisting your customers use a strong password. The LivingSocial breach is a good reminder that security is a joint effort.