Yet another security breach made quite a splash in the news this week. Video game console manufacturer Sony's PlayStation Network gaming site remains offline following a breach of its servers. Personal information for all members, including billing addresses, credit card numbers and user passwords, was compromised (although the company stopped short of confirming that anything had been stolen). While an initial DDoS attack was carried out by hacktivist group Anonymous, the current outage remains largely unexplained, with the company attributing the network's woes to "external intrusions."
This morning on my commute to work, I caught a BBC Newshour segment on Sony's troubles. During presenter James Kumaraswami's interview with Tom Standage, Digital Editor at The Economist, I was struck (if not exactly surprised) by this exchange regarding what Standage thought should be the main concern of the 77 million PSN users potentially affected by the breach:
Kumaraswami: How worried should people be that their credit card details might now be in the hands of people that might want to use them?
Standage: ... What I think is potentially more worrying for a lot of people is that the passwords have gone, and many, many people use the same passwords on lots of different online systems. ... I think that's actually a bigger danger than the credit card theft. That sounds like a much more widespread problem.
While discussing how stolen passwords can be used in social engineering and identity theft in general, Standage also points to lack of encryption for passwords as another embarrassing problem for Sony. To my mind, what should embarrass the account holders and put some of the heat back on them for the extent of the severity of this issue is that poor password creation and management habits could put their info at more risk than stolen credit card information.
The incident serves as another reminder to be mindful of password management practices. The toughest, most complex software and hardware solutions won't be of any use if users display bad password habits and employ them everywhere they go online.
These resources from IT Downloads can help you implement stronger, more secure password habits in your organization: