It has been a rough few months for high profile social media accounts – Mark Zuckerberg has been hacked, as has Google CEO Sundar Pichai and Twitter CEO Jack Dorsey. All through the magic of password hacking – and the fact that even tech CEOs don’t follow the advice we’ve all been given about varying our passwords.
It seems in all three of the high profile cases, the computer criminal in question either re-used passwords that had been stolen as part of an early hack of LinkedIn or used software designed to help generate a new password using an old one.
And getting a look at an old password is not hard – for $2 one can see a database of millions via LeakedSource. And this puts those social media operators and other web-based password requirers between something of a rock and a hard place: they can force their users to change passwords every so often – but users hate that and will leave in many cases. Or they cannot – and risk user accounts being hacked – something that also makes users flee.
“If they change passwords for their users, no matter how well they explain it, the perception may be completely off,” said Alex Holden, the founder and chief information security officer of Hold Security LLC, which helps companies spot stolen credentials on hacking sites. “If even 0.1% of these users panic and they have to call customer service in one day, it creates a nightmare.”
Carbonite is a firm that chose to reset on customers’ behalf.
“When you have a Carbonite account—or any backup service—and you have the username or password to that account, you have access to everything,” noted Norman Guadagno, Carbonite’s senior vice president of marketing.
Twitter, Facebook, Yahoo Inc. on the other hand urged users to reset their passwords, but did not undertake doing it themselves.
“There is a huge amount of frantic activity happening in consumer businesses to keep our users safe,” Alex Stamos, Facebook’s chief security officer, told a White House cybersecurity commission at a hearing in Berkeley, Calif., in June.
Activity likely to get more frantic – since according to Wall Street Journal reports, the problem seems to be on the rise.
So the best way to prevent your password becoming an online skeleton key for anyone who comes across it? Reset passwords often, don’t repeat them and definitely don’t use corporate passwords online.
“It could be that some third party has a breach and I’m essentially hostage to whether my employees reused passwords,” noted Cormac Herley, a researcher with Microsoft.