By now, you’ve heard about the Russian gang of hackers who allegedly gathered more than a billion user names and passwords and a lot of other information. How did you react to the news? I kind of shrugged my shoulders about it. It’s news, sure, but as someone who reads about breaches daily and gets regular updates about what’s happening in the state of cybersecurity, my reaction was this: What user names and passwords could they have that haven’t already been breached at some point?
I’m not the only one who said this. Shortly after I told some friends on Facebook that they shouldn’t panic, I got this comment in an email from John Prisco, CEO with Triumfant:
This issue reminds me of an iceberg, where 90 percent of it is actually underwater. That’s what is going on here with the news of 1.2 billion credentials exposed. So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it. Today, we have learned of a huge issue where it seems like a billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it.
Not surprisingly, the alarm has been set (yet again) about better password practices. By now, I’m sure you know the drill: Don’t use the same password on multiple sites and especially don’t use the same user name and password combination; make passwords difficult; change passwords frequently. But you know, this is good advice to heed before a breach happens, not after.
I remember when the Heartbleed vulnerability was announced. There was a mad rush by users to change their passwords on the sites that were affected. Yet, that rush to change was pointless, unless the site had already fixed the vulnerability. So I thought this comment Christopher Martincavage, senior sales engineer with SilverSky said to me in an email was interesting, regarding changing passwords:
The biggest advantage the common user (1 in 1.2 billion) has against a large leak of usernames and passwords is time. Gaining and distributing/selling 1.2 billion records takes time, let alone actually attempting to use them. This allows a simple password rotation policy to reduce your exposure. At least for your commonly visited sites.
Yes, change your passwords. But you should be changing your passwords frequently anyway. And this news should be a nudge to encourage both individuals and companies to think about alternatives to passwords as authentication. But there is no need to panic.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba